Analysis

  • max time kernel
    114s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-08-2024 01:40

General

  • Target

    dfc22ad60a3e5c942e56e20a9b634aa0N.exe

  • Size

    281KB

  • MD5

    dfc22ad60a3e5c942e56e20a9b634aa0

  • SHA1

    24cba7c577b7083f4c403d041fe9ae3eae8e7ad5

  • SHA256

    ad519fbe45377b1ba91db0b8bf615a733950433ad6b913f6dda64e1b9f6fa9f8

  • SHA512

    86da6334ba54bd75250044bd498781f8ab8e0ff30321fc5905ca38f85ba5e2d6b57298d4d45ce553693ae0b9a864294dfc99acf0706eb4c398a54c1e415e5f77

  • SSDEEP

    6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfv:boSeGUA5YZazpXUmZhZ6Si

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfc22ad60a3e5c942e56e20a9b634aa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\dfc22ad60a3e5c942e56e20a9b634aa0N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
      "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
        "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
        3⤵
          PID:3644

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

      Filesize

      281KB

      MD5

      0384a1616c3b7794892f88e46c4ca743

      SHA1

      950bcd5a65e9196c4342c31b057f2c402deaeefd

      SHA256

      9a34d6202e02051d366306bc21a08bc51ea46f7e41c1dcedbf9308da531b06ce

      SHA512

      46f3e4e83fec944dc3e71c70014c11ceea992dc12e01e804fb77f242b4a7fa0832f083838cee5d5a39099c81d50937de1d5a0410169ef0a44befc030b4076dc7

    • memory/1256-0-0x0000000074C92000-0x0000000074C93000-memory.dmp

      Filesize

      4KB

    • memory/1256-1-0x0000000074C90000-0x0000000075241000-memory.dmp

      Filesize

      5.7MB

    • memory/1256-2-0x0000000074C90000-0x0000000075241000-memory.dmp

      Filesize

      5.7MB

    • memory/1256-3-0x0000000074C90000-0x0000000075241000-memory.dmp

      Filesize

      5.7MB

    • memory/1256-17-0x0000000074C90000-0x0000000075241000-memory.dmp

      Filesize

      5.7MB

    • memory/2952-18-0x0000000074C90000-0x0000000075241000-memory.dmp

      Filesize

      5.7MB

    • memory/2952-19-0x0000000074C90000-0x0000000075241000-memory.dmp

      Filesize

      5.7MB

    • memory/2952-21-0x0000000074C90000-0x0000000075241000-memory.dmp

      Filesize

      5.7MB