Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2024 07:07

General

  • Target

    bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe

  • Size

    9.2MB

  • MD5

    d511554c3e89879625547bfe436cbf80

  • SHA1

    df37505e4f1bc919432b5a80c1f5d32484438ce8

  • SHA256

    bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8

  • SHA512

    360b811f826e6d695d7f1659503b33db92b8c43001f05666b2820c587a95f62e079c0ddb3b23d0159767a29835da6386c882e5383a88629fe562d251df9bdcd9

  • SSDEEP

    196608:lQKdvgDDwRB/rYSExCaWeQx12c00AL3MBEre9s4mEqaB2R5oBPLm8eiveeeI/:JVSDwRZYSExCaxk2rgR9saZk5CPSivem

Score
7/10

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe
    "C:\Users\Admin\AppData\Local\Temp\bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Users\Admin\AppData\Local\Temp\PDloewpjkG.exe
      "C:\Users\Admin\AppData\Local\Temp\PDloewpjkG.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:392
    • C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4240
      • C:\Users\Admin\AppData\Local\Temp\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\PDloewpjkG.exe

    Filesize

    6.3MB

    MD5

    5d6a303668e616ff81485949f18515b3

    SHA1

    fc7ca4ae06279a78d0e0fcbf7f3a874ff8230cfe

    SHA256

    d48ac7a7f98179c41d161ab90c08fac46fac8680e10b6f8fa605d5b029839d01

    SHA512

    49b86188cd9847afb9230cf59e1d29069b37bcaf178d50fb78d64dfe918ec523e140f1ee12f790d1daaa11c1e198f8744b3117683f7c91d637c91c6779a63fd3

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe

    Filesize

    3.8MB

    MD5

    323c0fd51071400b51eedb1be90a8188

    SHA1

    0efc35935957c25193bbe9a83ab6caa25a487ada

    SHA256

    2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94

    SHA512

    4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e

  • memory/1300-35-0x00000000005D0000-0x0000000000F0F000-memory.dmp

    Filesize

    9.2MB

  • memory/4224-51-0x0000000002BF0000-0x0000000002C02000-memory.dmp

    Filesize

    72KB

  • memory/4224-36-0x0000000000400000-0x0000000000623000-memory.dmp

    Filesize

    2.1MB

  • memory/4224-38-0x0000000002BD0000-0x0000000002BE3000-memory.dmp

    Filesize

    76KB

  • memory/4224-46-0x0000000000990000-0x00000000009A0000-memory.dmp

    Filesize

    64KB

  • memory/4224-83-0x0000000002F80000-0x0000000002F90000-memory.dmp

    Filesize

    64KB

  • memory/4224-91-0x0000000002F90000-0x0000000002FB0000-memory.dmp

    Filesize

    128KB

  • memory/4224-75-0x0000000002F70000-0x0000000002F80000-memory.dmp

    Filesize

    64KB

  • memory/4224-67-0x0000000002F50000-0x0000000002F61000-memory.dmp

    Filesize

    68KB

  • memory/4224-59-0x0000000010000000-0x0000000010021000-memory.dmp

    Filesize

    132KB

  • memory/4224-102-0x0000000000400000-0x0000000000623000-memory.dmp

    Filesize

    2.1MB

  • memory/4240-22-0x0000000000F60000-0x0000000001F60000-memory.dmp

    Filesize

    16.0MB

  • memory/4240-21-0x00000000005E0000-0x00000000005E1000-memory.dmp

    Filesize

    4KB

  • memory/4240-20-0x00000000005D0000-0x00000000005D1000-memory.dmp

    Filesize

    4KB