Overview

overview

7

Static

static

3

c3da0516f0...0N.exe

windows7-x64

7

c3da0516f0...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    111s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-08-2024 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3da0516f06df08b9592e453c44247d0N.exe

  • Size

    193KB

  • MD5

    c3da0516f06df08b9592e453c44247d0

  • SHA1

    64903d264f25659ec99e7b8dd419cb703f8a9ab8

  • SHA256

    e5edb5a0b2e4cf611675b595f23a825635a9b3dee7aba34ae061bcc6955bb32f

  • SHA512

    d3118e1187ead203988c68a52ed468998404ad5c0bd28f60f19d7022a7a86e3d586a85e19aa57c420be900628023caa5224c1b733697a7fb5c4a61aafd4aecde

  • SSDEEP

    6144:DBs27GluLyXxQQIIIhg6XXXDzXXX13s2III/TAXXXmlXXXLIIIG/ru5Ygn:DK2+yQIII1XXX/XXX62III/UXXXmlXX2

Score
7/10
defense_evasiondiscovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3da0516f06df08b9592e453c44247d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\c3da0516f06df08b9592e453c44247d0N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C3DA05~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3504
  • C:\Windows\Debug\dcihost.exe
    C:\Windows\Debug\dcihost.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    PID:3044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\debug\dcihost.exe
    Filesize

    193KB

    MD5

    e65bac4586522031bf4be35bd30183e2

    SHA1

    4565d851079722d9351365879dbfbca00590d7eb

    SHA256

    f2f80f88cbfea4e86e02192e46b77a231bfccf635864bd42ce4b7f16d0c97cf6

    SHA512

    7a143cdd08c8db0aed509acbbf85bfbe294fbe5b215cb7059d96fed1b9f1fe89c373e1340a3e8ec8835feeb949e1b8b9dcea42cf2035699b07e2819d91ed3bf8

    Download Submit