Analysis

  • max time kernel
    120s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/09/2024, 13:40

General

  • Target

    50a07b7dc7fce2caf921093b5017e6b0N.exe

  • Size

    170KB

  • MD5

    50a07b7dc7fce2caf921093b5017e6b0

  • SHA1

    3a8fa404134394ce3a17e1ed41d3fafe243462da

  • SHA256

    ec6aebaf897b7513438d0a9e948faa76074e04a0c4cf9921c8c7ae6c1895d13e

  • SHA512

    4176776c68fcf05112eccb45f19ecc330dd91e8ea2113846d3a12c00ef1e5a7dcd3f9e32bc4be2a2b83cd3278c6bb5c762d405573a418073151c780a7dade306

  • SSDEEP

    3072:KJpOm5axh63laEo+pXX1pQD2UCohD8mxLCj+5cmeDye42L712xrpdJ8xLeb7Ux:MAm5oh63laEo+pXX1pkF8mxeq5+4m71t

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 14 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50a07b7dc7fce2caf921093b5017e6b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a07b7dc7fce2caf921093b5017e6b0N.exe"
    1⤵
    • Enumerates connected drives
    • Maps connected drives based on registry
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\ProgramData\Ole32\sppcomapi.exe
      "C:\ProgramData\Ole32\sppcomapi.exe" 1
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Users\Admin\AppData\Roaming\Ole32\sppcomapi.exe
        "C:\Users\Admin\AppData\Roaming\Ole32\sppcomapi.exe" 1
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:5084
    • C:\ProgramData\Ole32\sppcomapi.exe
      "C:\ProgramData\Ole32\sppcomapi.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\ProgramData\Ole32\sppcomapi.exe
        "C:\ProgramData\Ole32\sppcomapi.exe" 1
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2840
  • C:\ProgramData\Ole32\sppcomapi.exe
    C:\ProgramData\Ole32\sppcomapi.exe
    1⤵
    • Executes dropped EXE
    • Enumerates connected drives
    • Maps connected drives based on registry
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\ProgramData\Ole320\sppcomapi.exe
      "C:\ProgramData\Ole320\sppcomapi.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:1496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Ole320\oprisu\acetxaku.dmp

    Filesize

    2KB

    MD5

    5d2ab29e9166c73f22ac9109f9dc17c4

    SHA1

    5dea89901ed2da98ecd2f5d437f9a2562d3b3296

    SHA256

    be0038a0c6edd62f2d1a4227a909dff8d8fc95b2c4b63c18d1e26836597efd0e

    SHA512

    f5445d77b6f3a3654e4a4b5dfdbc51b25bf93ebc20b9ab16ac1c4896bddbd0b04039f002b10cae508dbb663d9df3ac58ed2fb8783e4a26408be8657540924364

  • C:\ProgramData\Ole320\oprisu\pan.dmp

    Filesize

    9KB

    MD5

    e9bd461ff5e85e44d41c0d6b6171e8fb

    SHA1

    309f6073a9f257bacc0a4edbac8be83fb5cbd8f2

    SHA256

    47ec18d1443b49491e34c6385908d38b2d937202c9317176384c6b5f4d6461ff

    SHA512

    dea953f793ff78b19da7d08e92ca88716a917a0f913663b1155b30da22d04679c4081fff9184ca139e48c6d2028f4ae8ea489817c60780b058195a5db3ff7e4b

  • C:\ProgramData\Ole320\wuusefomve.drv

    Filesize

    6KB

    MD5

    7e12f1ea53d46793c21e41f9b9ba7782

    SHA1

    b3232b188b9d1989d97260989a8c175a14d7d282

    SHA256

    a843396dd883c4b7faa3e9df53a64573772a2606df17e8406dc5526298699b24

    SHA512

    f90b9058e89d8aeb7603dee9f1f6879f7dac4cf8da90c866fced0f240154d6f91f28a1e3348274b390043c95b16763d1543db6ef820ce209bb1b707557167d5e

  • C:\ProgramData\Ole320\xeepame\iwendupee.cat

    Filesize

    3KB

    MD5

    27113939fdda7325a18d8079c7e251b7

    SHA1

    644e9d51c4c552f21e30f5f32e1483624deb25f9

    SHA256

    9569ea7d1576f3a3f4e881602a2d79db94cf983a75b77e87c61188613766e4f8

    SHA512

    08541e51d9f65ee5bc06c21786a46cf2fee5ff7b55db26f480325471bde7635e24555d171e0ceb399e466081adf85844a164389f66afb63eaed1b984d5df9657

  • C:\ProgramData\Ole320\xeepame\oqrusi.cat

    Filesize

    5KB

    MD5

    399eab834d5303dcc5aa3c579aa43182

    SHA1

    5ce6ba5832608ea3fa35598d1576d3d7f127d9f1

    SHA256

    12871ab5b8b874dd3a04a244a79ab6dd12f1898b9dc8c6860c7bfeea592a46cd

    SHA512

    9e7593ea65f13d9c768c0a2541ed9735e094a9a9af3edd61731036b16cfdd9d0faca8895d64c27854bf54089272b8eb78daf2c5c47e7411c24429eef7571a024

  • C:\ProgramData\Ole32\sppcomapi.exe

    Filesize

    170KB

    MD5

    e948f9365289e88b814f9dcad215c509

    SHA1

    0c1c206ac64488eff064f52f6b4d5f3567b02f48

    SHA256

    929e2026d30f241ac5cb25506d6f2687447be29d782e5dd3dd2dd2b0a8dd1eaa

    SHA512

    fc750a67fdc03e1d9a6efdca34d52e97061bcce22851c8c95df1f04e5024f247db5050c631958d85ead22d5fa43e29102411ae29dd0194fcf5b8d1b82230f0fc

  • C:\Users\Admin\AppData\Roaming\Ole32\sppcomapi.exe

    Filesize

    170KB

    MD5

    e7646eb88a7050401d7ea1b9417ebdf4

    SHA1

    358be13cc99f1408e12773ee957f79fbd1b6bfde

    SHA256

    e249a554f9268e24b98e63faf9111c5cc192779b5a82d2fdf65c5d9532587fd3

    SHA512

    65829e130165ff60eb963a1d8a353ec578e0b937673089ef0ca0f408728504cb1727ca88638fb0f4a59e5c08215d6400b915ef9c3f2e62a102e390998dba4563

  • memory/5084-41-0x0000000073BD0000-0x0000000073C09000-memory.dmp

    Filesize

    228KB

  • memory/5084-64-0x0000000073BD0000-0x0000000073C09000-memory.dmp

    Filesize

    228KB