Overview

overview

10

Static

static

10

253d2bc02e...94.exe

windows7-x64

10

253d2bc02e...94.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-09-2024 07:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    253d2bc02e9a0b835ce9c7bf6f05bc9fa33bc60ddfb71f1da3de26befa103894.exe

  • Size

    43KB

  • MD5

    fa730ba7926d985677d9d33d0f714509

  • SHA1

    3c0396c78d4b50a147522f9a64eef0387874215e

  • SHA256

    253d2bc02e9a0b835ce9c7bf6f05bc9fa33bc60ddfb71f1da3de26befa103894

  • SHA512

    efb111e8fcb31e7609219bf5c5ae4ba9ec467cdb9f6f539ee1bc5bc91493adce9ee57f7f8a24e77fa29abbd991fd32355f9d6a367bee3fa2396c4c3a8bfe4e57

  • SSDEEP

    384:QZyVcVarEvEyeZ00s/Y0XMtZtQF8u9D9O5UE5QzwBlpJNakkjh/TzF7pWnN1gre3:WOcMYvReZ1s/tSZaWvQO+kD+L

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\253d2bc02e9a0b835ce9c7bf6f05bc9fa33bc60ddfb71f1da3de26befa103894.exe
    "C:\Users\Admin\AppData\Local\Temp\253d2bc02e9a0b835ce9c7bf6f05bc9fa33bc60ddfb71f1da3de26befa103894.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Users\Admin\AppData\Local\Temp\Dllhost.exe
      "C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Dllhost.exe
    Filesize

    43KB

    MD5

    fa730ba7926d985677d9d33d0f714509

    SHA1

    3c0396c78d4b50a147522f9a64eef0387874215e

    SHA256

    253d2bc02e9a0b835ce9c7bf6f05bc9fa33bc60ddfb71f1da3de26befa103894

    SHA512

    efb111e8fcb31e7609219bf5c5ae4ba9ec467cdb9f6f539ee1bc5bc91493adce9ee57f7f8a24e77fa29abbd991fd32355f9d6a367bee3fa2396c4c3a8bfe4e57

    Download Submit

  • memory/1544-12-0x00000000749D0000-0x0000000074F81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1544-15-0x00000000749D0000-0x0000000074F81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4984-0-0x00000000749D2000-0x00000000749D3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4984-1-0x00000000749D0000-0x0000000074F81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4984-2-0x00000000749D0000-0x0000000074F81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4984-13-0x00000000749D0000-0x0000000074F81000-memory.dmp

    Filesize

    5.7MB

    Download