Analysis
-
max time kernel
115s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
08/09/2024, 20:49
General
-
Target
ef50bb6c261367510ea7407191f3e281c3cbe5d52a9dc42b00efd6ec3ee578de.exe
-
Size
2.7MB
-
MD5
bcea7f4ca755c72ea20359f460f0dcca
-
SHA1
5414081a1c8f69ddc443a0a5ac8ab919813419ab
-
SHA256
ef50bb6c261367510ea7407191f3e281c3cbe5d52a9dc42b00efd6ec3ee578de
-
SHA512
00ab7046b375647e33f9c40bee767c01effebd24a40f00951cf9a34e849fa861c4d21da2d527e79cf81a8599435c7adf2195cc5ef9ae8093be28c6d9325c866e
-
SSDEEP
49152:llt9EU4jWcKdRw/L4UP0ICgGLAGr9tWxXbxc4Lcd6/BfxD9bwqqzeeBXziC4wN5:llt9EUKWVde47hAcAx/bBfrvqzeeBjXz
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef50bb6c261367510ea7407191f3e281c3cbe5d52a9dc42b00efd6ec3ee578de.exe"C:\Users\Admin\AppData\Local\Temp\ef50bb6c261367510ea7407191f3e281c3cbe5d52a9dc42b00efd6ec3ee578de.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\mhogxdwhwi.exe" /VERYSILENT2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mhogxdwhwi.exe"C:\Users\Admin\AppData\Local\Temp\mhogxdwhwi.exe" /VERYSILENT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-N0UD4.tmp\mhogxdwhwi.tmp"C:\Users\Admin\AppData\Local\Temp\is-N0UD4.tmp\mhogxdwhwi.tmp" /SL5="$70254,232785,54272,C:\Users\Admin\AppData\Local\Temp\mhogxdwhwi.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
900KB
MD5f8b110dc2063d3b29502aa7042d26122
SHA11a0fd3db79eadc1ce714f6267d476ddbec0f5e79
SHA256e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762
SHA512f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f
-
Filesize
526KB
MD59beea33ea128fd25ad509ae7ff7bcff3
SHA13a87a124b47d68bf8eb1d1a4f9695fb2b2a52660
SHA256e0634bc21490c472b233aaec047438feae557f0d57ea5b78b3b48260916e2b4e
SHA512292996177bbb804ea3f6ad51fdb74707f1a1a35d50d8ae7b082d88cbb476bae1a883133c9e1dc4cefce78bc71f8d65276e5cdaeeef03088bc54beb41269dc5b3
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
80KB
-
Filesize
40KB
-
Filesize
80KB
-
Filesize
2.6MB