Overview

overview

7

Static

static

7

8fd6362231...0N.exe

windows7-x64

7

8fd6362231...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2024 04:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fd63622315516d3833bcc44b7ebc090N.exe

  • Size

    59KB

  • MD5

    8fd63622315516d3833bcc44b7ebc090

  • SHA1

    22222b28ad2514507fd74f258a1e94671bad17db

  • SHA256

    8c204424ac62ff49d98d90f1e86867e022da5ca6466d58dc079eb93e06948379

  • SHA512

    69897308f096d8766d588fc86fd5355f2a5fc35e4a675bbb4914cf3b3ebfabc4cf2209b0c798b31cd7a8ab0742168faa91b2843c56d84fc81187d9e51bcc691c

  • SSDEEP

    1536:3+ZgwRdiE8cO4p1xRjfTvSq5r3ZiIZ4nouy8uh1aQJ:OeodiUO4p13b9HiIeoutuh1aQJ

Score
7/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fd63622315516d3833bcc44b7ebc090N.exe
    "C:\Users\Admin\AppData\Local\Temp\8fd63622315516d3833bcc44b7ebc090N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\ProgramData\AhnLab\AhnSvc.exe
      "C:\ProgramData\AhnLab\AhnSvc.exe" /run
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4556
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\8fd63622315516d3833bcc44b7ebc090N.exe" >> NUL
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AhnLab\AhnSvc.exe
    Filesize

    59KB

    MD5

    efc69e42b297a3de5be546b79aabe39b

    SHA1

    60ef549be331770748d64bb4f10e46e2c242ecea

    SHA256

    7a4da78e15dc3f9bd8a962f34a1c517ccd937516fbae2eb28c7a06ede407a5c7

    SHA512

    64f7d0137d9b860279c0cf8a01cbac7500428db863a0ee69f81fbfff8b3f783dd4d18a29b70ad7e553786867185d20f6c8d7965003468fbcc66967a52646dba2

    Download Submit

  • memory/2516-0-0x0000000000F00000-0x0000000000F27000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2516-8-0x0000000000F00000-0x0000000000F27000-memory.dmp

    Filesize

    156KB

    Download

  • memory/4556-4-0x0000000000A30000-0x0000000000A57000-memory.dmp

    Filesize

    156KB

    Download

  • memory/4556-9-0x0000000000A30000-0x0000000000A57000-memory.dmp

    Filesize

    156KB

    Download

  • memory/4556-10-0x0000000000A30000-0x0000000000A57000-memory.dmp

    Filesize

    156KB

    Download