Analysis

  • max time kernel
    133s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2024 16:34

General

  • Target

    PekzLOG.exe

  • Size

    535KB

  • MD5

    5504cead28af15658cd2c26c358759e6

  • SHA1

    5d444a6f79f1ce9069c4a940687ced21b96e616c

  • SHA256

    f2cea2ace90fadcf5ee82ed9ebc1f7dc577a3b1fbce75b2831c1b170879d5494

  • SHA512

    ce79c86f3ac81b9e8786e49af78b13f1804635d64d19d2798b00e05b201433c0297a99cf09fabe4f05ddd0c4327ed72982049fbee4b209724de543bfd20ac188

  • SSDEEP

    12288:PDcHFdwvfQky4ng/q2cTvw/oXTQUxTkGAVTeTveexB2sOr:PDcHF6XHBeWUoXv5lokee+r

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PekzLOG.exe
    "C:\Users\Admin\AppData\Local\Temp\PekzLOG.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4308
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1239694C.dll" /A:H
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:664
      • C:\Windows\system32\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:1160

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1239694C.dll

      Filesize

      584KB

      MD5

      feb5236bd41cc5f9cfc5b5dc25e66d25

      SHA1

      6e3f599e8a57733655ddaa7703bbe939fd447216

      SHA256

      6b64d5962e50dd590831dd7fbc6a09196fe03696d2767fc6416ac11edd2e0593

      SHA512

      8e250045bf4acccd05ea0fddb54c936b9a1c7e25995f09815d31a86fbf9d28d17e71c33990420aa660e885c3950095499cf51d6944c4dd2735b2f993eb0b9507

    • memory/4308-0-0x00007FFE8FBC3000-0x00007FFE8FBC5000-memory.dmp

      Filesize

      8KB

    • memory/4308-1-0x0000000000800000-0x0000000000890000-memory.dmp

      Filesize

      576KB

    • memory/4308-5-0x000000001B6A0000-0x000000001B7E2000-memory.dmp

      Filesize

      1.3MB

    • memory/4308-6-0x00007FFE8FBC0000-0x00007FFE90681000-memory.dmp

      Filesize

      10.8MB

    • memory/4308-9-0x00007FFE8FBC0000-0x00007FFE90681000-memory.dmp

      Filesize

      10.8MB

    • memory/4308-8-0x0000000001160000-0x0000000001166000-memory.dmp

      Filesize

      24KB

    • memory/4308-11-0x00007FFE8FBC0000-0x00007FFE90681000-memory.dmp

      Filesize

      10.8MB

    • memory/4308-12-0x00007FFE8FBC0000-0x00007FFE90681000-memory.dmp

      Filesize

      10.8MB

    • memory/4308-13-0x0000000001170000-0x0000000001176000-memory.dmp

      Filesize

      24KB

    • memory/4308-15-0x00007FFE8FBC0000-0x00007FFE90681000-memory.dmp

      Filesize

      10.8MB