a1ff018ae5d8043a43c6323154e89fcbe1d725c87ba1f3e3cb393047e6b4ab38

Analysis

max time kernel
95s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0af9996389089ed5a37dffb20115d660N.exe
Size

2.0MB
MD5

0af9996389089ed5a37dffb20115d660
SHA1

923d23a18eb0f494afff8f42025ef62c01d8e16c
SHA256

a1ff018ae5d8043a43c6323154e89fcbe1d725c87ba1f3e3cb393047e6b4ab38
SHA512

d9a1a8df24ff3c246a7f20d37ec131692ad6a0acee01d056547e98188dd0c50b4f3eabc94fcc010ae2887daf641b179b36289cd3ee6633078abbad3d39de2159
SSDEEP

49152:fxTeZUleSs7Z/n6a96iOtgdtvQuIDZOK7c7GY0wWqDqT9K:JleSsRn6c6PU5QuIDc7PrWqDqT9K

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	0af9996389089ed5a37dffb20115d660N.exe

Executes dropped EXE 1 IoCs

pid	Process
872	StartAllBackCfg.exe

Loads dropped DLL 1 IoCs

pid	Process
872	StartAllBackCfg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
872	StartAllBackCfg.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 872	3372	0af9996389089ed5a37dffb20115d660N.exe	83
PID 3372 wrote to memory of 872	3372	0af9996389089ed5a37dffb20115d660N.exe	83

C:\Users\Admin\AppData\Local\Temp\0af9996389089ed5a37dffb20115d660N.exe
"C:\Users\Admin\AppData\Local\Temp\0af9996389089ed5a37dffb20115d660N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Users\Admin\AppData\Local\Temp\SIBSFX.7A1BFD2C\StartAllBackCfg.exe
  "C:\Users\Admin\AppData\Local\Temp\SIBSFX.7A1BFD2C\StartAllBackCfg.exe" /install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SIBSFX.7A1BFD2C\StartAllBackCfg.exe

Filesize
3.3MB

MD5
a5a2ca9c49f16a184875ba09b3e08b60

SHA1
4647fa230691e8a38486cb209b713c4684b28772

SHA256
82ed0eb734ea86b1e5feec0507e49cbb6a60db7fae16777e79891738de4cd0a2

SHA512
978cce9afd541deae76f1c3a793fbd75ec5c871dd90b9f26a8e2a517cf1e453a86e7976d02408735a6bcb2a726e25bb52048444e23edafe583bb147ce18e6881

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.7A1BFD2C\StartAllBackX64.dll

Filesize
1015KB

MD5
a3b985470acf6959e88ff15d8711dfe8

SHA1
f88fd8fd1de819f493cffcf698208fe647640ec8

SHA256
c3d17dcf3dbbeae3b30a201030d76ff3ea42cd56407b84f53af5232c48d17fa0

SHA512
3591be7ca5b1763899296d8485d180f441c20a5af8d5d553f6087a660fba494b163aa5d4e85737be833231537420bde5bb38172019e26c92bff4b3f6cd8c68d4

Download Submit
memory/872-70-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/872-74-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download