Overview

overview

7

Static

static

1

ead26acbf0...0N.exe

windows7-x64

7

ead26acbf0...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    104s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ead26acbf0a60059a4774f4b3222adc0N.exe

  • Size

    78KB

  • MD5

    ead26acbf0a60059a4774f4b3222adc0

  • SHA1

    132e0f9d1c9445f530ad4ed4a754d4587b020ab5

  • SHA256

    4ba0d10ff201fe855000b31dec2bbf8ae7d32ed0ef3d76413357a454d6527660

  • SHA512

    d0ea36186c9da42eb82ff21fe4e7b0cd02e5bab48270214ee5a600baa6542f7451722bd0bdd7f2847b4a49ce5e860dc56f7024ee4dd953e345181652e37e5340

  • SSDEEP

    1536:nLNIW39SaZTbFARlq7jC1OZstZu0TS3gEdUJCkb0FGF:nLlbZTZX3BAtTS3gEdUJCkb0FGF

Score
7/10
defense_evasiondiscoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ead26acbf0a60059a4774f4b3222adc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ead26acbf0a60059a4774f4b3222adc0N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\ProgramData\Graphics\guifx.exe
      "C:\ProgramData\Graphics\guifx.exe" /run
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4232
    • C:\windows\SysWOW64\cmd.exe
      "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\ead26acbf0a60059a4774f4b3222adc0N.exe" >> NUL
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Graphics\guifx.exe
    Filesize

    78KB

    MD5

    6da8a6bd056d3aeb90ba355edd982b4b

    SHA1

    fb981e3004ec4aa57241a804cfaa907172823af6

    SHA256

    75d9c9f6b01073151004fcdb9fb13bf25e1f3011e7f6d17aca4ac1d17eb40fd6

    SHA512

    d8a3f202272a43ba248446ea536de907c6097c99155206ddfff03a3bfcb0c610fd1e5bdcb9e3127de3ca8bd776103d7ac1ff2b384912b82e9badcbbd4a9b8c8b

    Download Submit