Analysis

  • max time kernel
    120s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 06:34

General

  • Target

    bd3be383f988bcb73cc1808c4a270240N.exe

  • Size

    364KB

  • MD5

    bd3be383f988bcb73cc1808c4a270240

  • SHA1

    53680bee4bc869f4da27899d0caf8277b8c1d40b

  • SHA256

    ec6ca61775dc372a1a2059cc06b50acc294b9650c317ef8567473d6178725708

  • SHA512

    a822bc294e907b51070752e94a0e86560efc5583201648a5da5389f17e5b99adf024ae0f4176acf01213eb328baf73c97424a628bdf01787027f71e7d95c9486

  • SSDEEP

    3072:0mGAiXP9cJuGEnvBGKcHplTOoX56B4uE7U4iy+LwldhzNkYMvMZqvRWK6toRG9DO:29KuPnvBGdxYJxwphkYMvMZ/DO

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd3be383f988bcb73cc1808c4a270240N.exe
    "C:\Users\Admin\AppData\Local\Temp\bd3be383f988bcb73cc1808c4a270240N.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Users\Admin\tytev.exe
      "C:\Users\Admin\tytev.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\tytev.exe

    Filesize

    364KB

    MD5

    6e735b2431def8c3f96a2c4b8cfbef2d

    SHA1

    e09908fec4872f2bb6ef38b5066acc14a7d3f4e6

    SHA256

    14766f9d3d91b77a06e063babe0f815120eea74e4299da8b39b99dc175e71d45

    SHA512

    2727dff21fae2534c777af7705d31f801c8f33c1b6a45a019b10dbdfd95db4c1fd0e2ffb485a8f89f39132483d7596570246ffde947e050ba0217133bb3048a7