Overview

overview

8

Static

static

3

698af3c26c...d1.exe

windows7-x64

1

698af3c26c...d1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-08-2024 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    698af3c26c7433818ed532e8d84b525f34c88b99f30ccb543e24102223e2ebd1.exe

  • Size

    1.0MB

  • MD5

    07ebe6bd39d47f8d9533d7910497510b

  • SHA1

    050bd05707529b4fb46608b276682d4be1fcfb88

  • SHA256

    698af3c26c7433818ed532e8d84b525f34c88b99f30ccb543e24102223e2ebd1

  • SHA512

    68fd8a9e4e25452142365f93657482839bef10dd6b88ea0f36ccc0f4dfbe79463aa13c84fcbc4148fa530c1a665e30f9a72acfbb0379368b5fc56da3473d044f

  • SSDEEP

    12288:otXlW6JhG2lO8FbG5byJR//uXShuqO3daKScHj/mTnGM:otE6JY2sYS5GJRuHkcHqTnGM

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\698af3c26c7433818ed532e8d84b525f34c88b99f30ccb543e24102223e2ebd1.exe
    "C:\Users\Admin\AppData\Local\Temp\698af3c26c7433818ed532e8d84b525f34c88b99f30ccb543e24102223e2ebd1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3400
    • C:\Users\Admin\AppData\Roaming\flexxloader\tempver.exe
      "C:\Users\Admin\AppData\Roaming\flexxloader\tempver.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\flexxloader\Guna.UI.dll
    Filesize

    876KB

    MD5

    6d6a1f28978d42ad2f0a8f278eaac966

    SHA1

    b09168ec88109422ca29cf4f1b6462d51930873d

    SHA256

    fb23fa4fca8f28bebe7b7e39593a211cd3c3405de5f948ec520e859b1bcaf91e

    SHA512

    76ddf88255a9355fc3c781880e23d94206acca4decf5623712411f7a733e91ca9ea37944860401cf9667f10e8c33a087803a4726f91faff1f23e3e0592ddf41d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\flexxloader\tempver.exe
    Filesize

    2.5MB

    MD5

    bc4706d4725cd7eaac614d28213d51fd

    SHA1

    e24131db024287999645090fd632a6ede006262e

    SHA256

    5d1298922e0d261c67d4bbf229fa32c4aacb8c3fdf9bcd8243802a4a7e3349b0

    SHA512

    239fb423c2cec36dd6de48e81b7b681bed55cd1a35b31f18c4119202369ff6a60f8179adfb5b60a05af6681c44bb539fd4ced69ebdeffa4922f39e5818c91777

    Download Submit

  • memory/3168-23-0x00000139FB9A0000-0x00000139FB9E2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3168-17-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3168-16-0x00000139E1280000-0x00000139E1500000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3168-20-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3168-22-0x00000139FBEC0000-0x00000139FBFA0000-memory.dmp

    Filesize

    896KB

    Download

  • memory/3168-24-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3168-25-0x00000139FBB70000-0x00000139FBC72000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3168-26-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3400-0-0x00007FFA09743000-0x00007FFA09745000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3400-18-0x000001C070C60000-0x000001C070D62000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3400-19-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3400-1-0x000001C06C480000-0x000001C06C586000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3400-2-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

    Filesize

    10.8MB

    Download