Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2024, 14:40

General

  • Target

    c763d4e15f8c17fef4f48f35d1673a80N.exe

  • Size

    216KB

  • MD5

    c763d4e15f8c17fef4f48f35d1673a80

  • SHA1

    057e91d04050d415295f241bd9e174a3bf637da0

  • SHA256

    ac2ad40f5a678f062a71e22475b34c701489ba86d60f857bc58114fcda3551cb

  • SHA512

    be2227cd793e41928f7d1336eecfcd34ae9bafaa7bc34f831d4aa668393e7ea88c42d16d9962b75bd35ca3a685bf78f0a8fe96aca783b71ed8bd6d9d5dfa9250

  • SSDEEP

    3072:nYjaMKTuxxnM3/7eFE+S2/goM2IFNGzBkl9s7Y:Yn/nM36q+VM2CWs9z

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 48 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c763d4e15f8c17fef4f48f35d1673a80N.exe
    "C:\Users\Admin\AppData\Local\Temp\c763d4e15f8c17fef4f48f35d1673a80N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3356
    • C:\Users\Admin\gueqir.exe
      "C:\Users\Admin\gueqir.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\gueqir.exe

    Filesize

    216KB

    MD5

    292a58e946e5db1de047e358634025bc

    SHA1

    8138e1120cc1e1f9babc7bf9b549c15b731312e1

    SHA256

    ebc2505281be1601929a123788c335506b906a84f83ca261709c66f8c705382a

    SHA512

    3772d7254126e531f717cc7ab5c43cb69ada343cc502cb512b88c06feda969506ba2bc675926c9db875cb00d830551df139ac511b2025de9d04d3d7a0ff326bb

  • memory/1604-33-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

  • memory/1604-38-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

  • memory/3356-0-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

  • memory/3356-37-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB