Overview

overview

7

Static

static

3

8f51f2ce93...0N.exe

windows7-x64

5

8f51f2ce93...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 02:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8f51f2ce93433514f87cdb4ed20b8560N.exe

  • Size

    348KB

  • MD5

    8f51f2ce93433514f87cdb4ed20b8560

  • SHA1

    f79ad4c224b9dbdf3809aedc7ec9d1bcccca228e

  • SHA256

    54f49a6c62fc8ae5897c3f08c0ed3ad5eb231c5c6621a566aac12e05abea8b36

  • SHA512

    198aedb95ff337da125568ad890d617a22b0fbe5ddd70008f4ec57503bf03b4c43719cd422a1966113cb9ec75a9ee1d7c2bf689c807b1ca079922596469fd1fc

  • SSDEEP

    6144:ybpFMByWEhy9vBpHLnU+r/f79MzNtukvSodidiHlFE:y9y2hqbLnZr/5MJt5qZi/E

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f51f2ce93433514f87cdb4ed20b8560N.exe
    "C:\Users\Admin\AppData\Local\Temp\8f51f2ce93433514f87cdb4ed20b8560N.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\SysWOW64\backgroundTaskHost.exe
      "backgroundTaskHost.exe"
      2⤵
      • Adds Run key to start application
      • Checks for any installed AV software in registry
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1260
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\wuh7CAB.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\8f51f2ce93433514f87cdb4ed20b8560N.exe""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\8f51f2ce93433514f87cdb4ed20b8560N.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:216
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1792
      2⤵
      • Program crash
      PID:4576
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1572
      2⤵
      • Program crash
      PID:1908
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2064 -ip 2064
    1⤵
      PID:3556
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2064 -ip 2064
      1⤵
        PID:3608

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\d2bh68f622.exe
              Filesize

              348KB

              MD5

              779ccfcabba9c335abb4bcd1cd7a459e

              SHA1

              1f997866ead83561764f4ee3b252f7ee03efd74d

              SHA256

              6426674f7546479b2f05a6aa7792699f1415e38aa4e220cfbeffff7685b359d7

              SHA512

              a44a7499f4aa81d55052f0e4baf536b2234b1bf1882186845d30bdaf54295089b56b987b515baa56d8ba94c6608b12dd3fb10574954e46d1ecb718b9764135e9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\3492473cd35c8bdceed8
              Filesize

              29B

              MD5

              1d129e71d0de4ba3782a6d94c0b2e3c8

              SHA1

              517cfc2ef812b7408e7a5f5a25bfb16f026709f5

              SHA256

              019a5a204d95745c0b0aa55a1685f0c1d53ecb13bb09eb428ad463bb5f7fe4fb

              SHA512

              d2f9ef378141111d187f274a042973bc8dd28887892db010259ac3c3b6d88326f3f7c62908de14417e123885fe8e103bd0365590d48e7e923b5de91390a65b6f

              Download Submit

            • C:\Users\Admin\AppData\Local\wuh7CAB.tmp.bat
              Filesize

              53B

              MD5

              9f16d40e0104af15c183890db51a613a

              SHA1

              0e1548e5c6f64df5d08d3403e9ecb7abdd26577f

              SHA256

              dc8e2f1c6ad1edf468dde9341ab62bc4721c91c7cb47ae40977d5e969360af17

              SHA512

              f3b909ed91047744f54cfc2481765addec44bc9db922b2d660c4d304743fdac02f624aebf52b0452127007ff4b3f028a45b0b3ccc1d140bc6cbacec55d226b86

              Download Submit

            • memory/1260-293-0x00000000007D0000-0x000000000083A000-memory.dmp

              Filesize

              424KB

              Download

            • memory/1260-299-0x00000000007D0000-0x000000000083A000-memory.dmp

              Filesize

              424KB

              Download

            • memory/1260-8-0x0000000000470000-0x0000000000471000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1260-433-0x00000000007D0000-0x000000000083A000-memory.dmp

              Filesize

              424KB

              Download

            • memory/1260-11-0x00000000007D0000-0x000000000083A000-memory.dmp

              Filesize

              424KB

              Download

            • memory/1260-450-0x0000000002480000-0x0000000002481000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1260-295-0x00000000006D0000-0x00000000007D0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/1260-448-0x0000000002480000-0x0000000002481000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1260-455-0x00000000006D0000-0x00000000007D0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/1260-300-0x00000000007D0000-0x000000000083A000-memory.dmp

              Filesize

              424KB

              Download

            • memory/1260-303-0x00000000007D0000-0x000000000083A000-memory.dmp

              Filesize

              424KB

              Download

            • memory/1260-468-0x0000000000550000-0x0000000000551000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1260-307-0x00000000007D0000-0x000000000083A000-memory.dmp

              Filesize

              424KB

              Download

            • memory/1260-353-0x00000000007D0000-0x000000000083A000-memory.dmp

              Filesize

              424KB

              Download

            • memory/2064-10-0x0000000000400000-0x0000000000461000-memory.dmp

              Filesize

              388KB

              Download

            • memory/2064-431-0x0000000000400000-0x0000000000461000-memory.dmp

              Filesize

              388KB

              Download

            • memory/2064-432-0x0000000000457000-0x000000000045B000-memory.dmp

              Filesize

              16KB

              Download

            • memory/2064-0-0x0000000000457000-0x000000000045B000-memory.dmp

              Filesize

              16KB

              Download

            • memory/2064-5-0x0000000000400000-0x0000000000461000-memory.dmp

              Filesize

              388KB

              Download

            • memory/2064-4-0x0000000000400000-0x0000000000461000-memory.dmp

              Filesize

              388KB

              Download

            • memory/2064-3-0x0000000000400000-0x0000000000461000-memory.dmp

              Filesize

              388KB

              Download

            • memory/2064-1-0x0000000000400000-0x0000000000461000-memory.dmp

              Filesize

              388KB

              Download