Overview

overview

7

Static

static

3

84a9a63c18...0N.exe

windows7-x64

7

84a9a63c18...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 23:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    84a9a63c183f9134714fedcb7fb5f5e0N.exe

  • Size

    654KB

  • MD5

    84a9a63c183f9134714fedcb7fb5f5e0

  • SHA1

    9039447af0b6cec72737aba31211deeb6f4543c7

  • SHA256

    317f18f14e26eec4b17fd2f0b961aecc912c2172955ef75c7f30ecc1a22caef3

  • SHA512

    b28ba798418dc2eeb70ad6f86d51776c33422f97d6dd336ecf2fba5e989d6d431209b226e24ee0d79f0eddc1feda64f1d939878027a21af475a5ef38e819cbb9

  • SSDEEP

    12288:oYIW0p98Oh8P7h8GGsOvXSVqby69pezUapFc32TPu7he9gyCWTHb:EW298E8uGiXCqbZ2zRFc32TPu7he9gy5

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\84a9a63c183f9134714fedcb7fb5f5e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\84a9a63c183f9134714fedcb7fb5f5e0N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Users\Admin\AppData\Local\Temp\8B87.tmp
      "C:\Users\Admin\AppData\Local\Temp\8B87.tmp" --pingC:\Users\Admin\AppData\Local\Temp\84a9a63c183f9134714fedcb7fb5f5e0N.exe 9A789FEC1EB65576461AD78F7CD239ED00B7F90317A76DC851930B4A396BFDCEE50C80981C1145475D017D105A6605AA3228A180344196E3C9FD6E32CD689564
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Modifies registry class
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\84a9a63c183f9134714fedcb7fb5f5e0N.docx" /o ""
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:3772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\84a9a63c183f9134714fedcb7fb5f5e0N.docx
    Filesize

    21KB

    MD5

    7079891932a64f097abafd233055a1e9

    SHA1

    246d95feafe67689d49a5a4cadba18d3ac1914e5

    SHA256

    c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1

    SHA512

    6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\8B87.tmp
    Filesize

    654KB

    MD5

    9518f9ac712f613dfd9a58c34063fc01

    SHA1

    ed441619655bd8168e84d8e88cebc3e186bc11c5

    SHA256

    372f28ad012ce5acb842f0a096d7e3b93882315208d121e11e65f08caab48188

    SHA512

    47ab741c31e81548837e070d5ac78e7ecf5658818d0ad6592d7b3d50a6040872e1564694c52f2950b76efe86b12fb3b0d1464d28e5b3d6d572cd69713566c881

    Download Submit

  • memory/3772-24-0x00007FFC37190000-0x00007FFC37385000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3772-21-0x00007FFC37190000-0x00007FFC37385000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3772-10-0x00007FFBF7210000-0x00007FFBF7220000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3772-9-0x00007FFC3722D000-0x00007FFC3722E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3772-13-0x00007FFBF7210000-0x00007FFBF7220000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3772-18-0x00007FFC37190000-0x00007FFC37385000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3772-20-0x00007FFC37190000-0x00007FFC37385000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3772-19-0x00007FFC37190000-0x00007FFC37385000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3772-23-0x00007FFC37190000-0x00007FFC37385000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3772-26-0x00007FFBF4CF0000-0x00007FFBF4D00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3772-11-0x00007FFBF7210000-0x00007FFBF7220000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3772-12-0x00007FFBF7210000-0x00007FFBF7220000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3772-25-0x00007FFC37190000-0x00007FFC37385000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3772-22-0x00007FFC37190000-0x00007FFC37385000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3772-27-0x00007FFC37190000-0x00007FFC37385000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3772-16-0x00007FFC37190000-0x00007FFC37385000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3772-28-0x00007FFBF4CF0000-0x00007FFBF4D00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3772-17-0x00007FFC37190000-0x00007FFC37385000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3772-15-0x00007FFC37190000-0x00007FFC37385000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3772-14-0x00007FFBF7210000-0x00007FFBF7220000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3772-42-0x00007FFC37190000-0x00007FFC37385000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3772-41-0x00007FFC3722D000-0x00007FFC3722E000-memory.dmp

    Filesize

    4KB

    Download