Overview

overview

4

Static

static

1

budget = 2300$.txt

windows11-21h2-x64

4

Resubmissions

19-08-2024 02:57

240819-dfrnas1aja 4

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-08-2024 02:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    budget = 2300$.txt

  • Size

    396KB

  • MD5

    557e20d7dbadcc21cf5bf2f9f33024d6

  • SHA1

    1bd9522429227230b2382b9de5870be987fcc65a

  • SHA256

    25698b9a4c3237ddfc87bfb5555da534b82954b2271e6ef4f8d13d1c4db5121d

  • SHA512

    4eda18d1fc7d25c93ab9c943337202fcca685e299d002e5328b033f7a0e9e47d757a1aa2c9b4c3cc9d6ded34508fbab8a0872c8928efaaec1b4d7ec50c754c29

  • SSDEEP

    48:SUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU+:n

Score
4/10
discovery

Malware Config

Signatures

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\budget = 2300$.txt"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\budget = 2300$.txt
      2⤵
        PID:1536
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
      1⤵
        PID:396
      • C:\Windows\System32\oobe\UserOOBEBroker.exe
        C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        PID:2520
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
        1⤵
        • System Location Discovery: System Language Discovery
        PID:3708
      • C:\Windows\system32\SystemSettingsAdminFlows.exe
        "C:\Windows\system32\SystemSettingsAdminFlows.exe" EnterProductKey
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3472
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:972

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
        Filesize

        10KB

        MD5

        a7f391566ceb7d310b04c1376aa66a07

        SHA1

        eda88e9134d3de209152481c9e8aa02054d4c2eb

        SHA256

        8ecb81fa22792fa6bb09abc86b9b5afb50773e2c5537def45dd8ba297f6c714e

        SHA512

        163bad20eaa9108286367367e6a54a9ac612026954ee2466b8f88f732a992695fe160d3fb5f092976ef15c1c1b71400e577a9a4833dfa616d7c9ee6a8237033c

        Download Submit

      • memory/3472-10-0x000001F1CA480000-0x000001F1CA490000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3472-11-0x000001F1CA480000-0x000001F1CA490000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3472-12-0x000001F1CA480000-0x000001F1CA490000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3472-14-0x000001F1CA650000-0x000001F1CA660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3472-13-0x000001F1CA650000-0x000001F1CA660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3472-15-0x000001F1CA650000-0x000001F1CA660000-memory.dmp

        Filesize

        64KB

        Download