Overview

overview

7

Static

static

7

03d9907796...0N.exe

windows7-x64

7

03d9907796...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    111s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2024 00:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03d9907796b6a0520cd7816d9e5d5500N.exe

  • Size

    63KB

  • MD5

    03d9907796b6a0520cd7816d9e5d5500

  • SHA1

    090466b25bc0bb93bb907948ab123c4cfaac188a

  • SHA256

    068b11dfd54c70eef5005a080a163e6151e625b77936e06c49ad64684434b3ae

  • SHA512

    3ac5849ff9b88f63a6e65c26218db692dbefd35b5f221d66f47ad394b84c7c2a376f6c408e2a1ad5d4c04c27a695ef6a90dd116d6ec83642969719d4b645f310

  • SSDEEP

    1536:fvQoLHjw2iWPKMvw71oLyXQUUqnouy8YXVvvvZeee5Lttttn:fv5Ls27BIJoLyXTUyoutYXveeeRttttn

Score
7/10
defense_evasiondiscoveryupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03d9907796b6a0520cd7816d9e5d5500N.exe
    "C:\Users\Admin\AppData\Local\Temp\03d9907796b6a0520cd7816d9e5d5500N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3604
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\03D990~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1724
  • C:\Windows\Debug\tuehost.exe
    C:\Windows\Debug\tuehost.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    PID:388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\debug\tuehost.exe
    Filesize

    63KB

    MD5

    50ec58553b97ae21d317803479dd0790

    SHA1

    1ac218cf56af078631eabce7b7e0f46f024a9afd

    SHA256

    383be64ef8a008cf628107c5a754fda9c88c0864ff6769e4c9bfa11ab7823824

    SHA512

    15763ab8f6c43f7f3eb2cdf1fcc8e89d1b837c14e2a8907fe6e517ed0f86d0845364ae1d396ca2a99a5cd5a6b5a82725c5d31db421a7e609d7357bd0095d9f9e

    Download Submit

  • memory/388-6-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3604-0-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3604-5-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download