Overview

overview

7

Static

static

3

8504956e6e...15.exe

windows7-x64

7

8504956e6e...15.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2024 17:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8504956e6eb66d157d8a492273ee15912f5b577c09d192a4bd4b816331d7aa15.exe

  • Size

    759KB

  • MD5

    8a4c8f6a264659e548701da869c55996

  • SHA1

    cda9ae8ddcab792b4ec84fe1468e2a0c0b60a1dc

  • SHA256

    8504956e6eb66d157d8a492273ee15912f5b577c09d192a4bd4b816331d7aa15

  • SHA512

    dcc32ec7bbe951a2871a9ff23b20efb2d882345019bda0e36814cbb31f65b0a1b8b1fbb2c0728ecbda65cb89b7cd871405c14472ff7636913557b65554a61af7

  • SSDEEP

    12288:x2JylsKTFW4VyPGDSBQkoZnkDfRgnqTzUjD5FZ9oU5DO69x:x2Jyxo4VR7ofGqTK7px

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8504956e6eb66d157d8a492273ee15912f5b577c09d192a4bd4b816331d7aa15.exe
    "C:\Users\Admin\AppData\Local\Temp\8504956e6eb66d157d8a492273ee15912f5b577c09d192a4bd4b816331d7aa15.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\8504956e6eb66d157d8a492273ee15912f5b577c09d192a4bd4b816331d7aa15.tmp
      C:\Users\Admin\AppData\Local\Temp\8504956e6eb66d157d8a492273ee15912f5b577c09d192a4bd4b816331d7aa15.tmp
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4232
    • C:\Users\Admin\AppData\Local\Temp\8504956e6eb66d157d8a492273ee15912f5b577c09d192a4bd4b816331d7aa15.mm
      C:\Users\Admin\AppData\Local\Temp\8504956e6eb66d157d8a492273ee15912f5b577c09d192a4bd4b816331d7aa15.mm /zhj
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Windows\GOG.exe
        C:\Windows\GOG.exe /zhj
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:1332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8504956e6eb66d157d8a492273ee15912f5b577c09d192a4bd4b816331d7aa15.mm
    Filesize

    576KB

    MD5

    0e021f4daa3ad0bbd4da7caed4403334

    SHA1

    dfb561632c35b9d282357a408ad80957f593a495

    SHA256

    5fc2adfb3823227f257d2ca22d8f605e1c897e803ca5ea7ac9090530d98de858

    SHA512

    9be3bcbb4d52f35fc5bc8c19e2e8df43f2a13675cbad2d3af02dc5c66805f3862bf4294a86c4dd8d0cf141e79b3047e6c579655b922c99374375efa3056950c9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\8504956e6eb66d157d8a492273ee15912f5b577c09d192a4bd4b816331d7aa15.tmp
    Filesize

    183KB

    MD5

    993834b83f59db2a8789d167c617f996

    SHA1

    91aaca70455f68c01a854fd446c918c0edbd21d2

    SHA256

    0a567046bbc4e3b7997d2c57b933afc0ae4e8d7c3101a0b2d43c7c50b406e5ac

    SHA512

    58deaf6eff84082fd2adf1dc1fdb0c5d5fb4e83cc1ab01fed607bd5a7e9601f804657f89fd794ee0efc0adaa240b78b461d2b6d45c0ebb8cad097fe1346ab01c

    Download Submit

  • memory/1332-67-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2440-0-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2440-66-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/4232-65-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/4956-14-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download