Overview

overview

8

Static

static

3

a8708d9818...22.exe

windows7-x64

8

a8708d9818...22.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/10/2024, 01:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8708d98185364e876e7456b06182e9786a615d91040814f040cc46f18eb1c22.exe

  • Size

    37KB

  • MD5

    8cc6010309813e21a5d39d3b02bc6e4e

  • SHA1

    7b7c6e463d22cd449147faff042bc33d0b7e34e1

  • SHA256

    a8708d98185364e876e7456b06182e9786a615d91040814f040cc46f18eb1c22

  • SHA512

    2ce7175ca673256fff19aa3f3eaf1311b6338ea41b67368848ae2d844d095e7dd00d7d22527d2668600cb1d63b8e982c0188013d086b93721a21936f434e3129

  • SSDEEP

    768:LCRfCvm23OTnm7NSBTyS5qDRa7DrtlHO3333WUUUYLG+++/:WVCvmrK7NSNymqDet5bT

Score
8/10
defense_evasiondiscoveryevasion

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8708d98185364e876e7456b06182e9786a615d91040814f040cc46f18eb1c22.exe
    "C:\Users\Admin\AppData\Local\Temp\a8708d98185364e876e7456b06182e9786a615d91040814f040cc46f18eb1c22.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\SysWOW64\attrib.exe
      attrib +a +s +h +r C:\Windows\Debug\mewhost.exe
      2⤵
      • Sets file to hidden
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Views/modifies file attributes
      PID:1840
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A8708D~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4000
  • C:\Windows\Debug\mewhost.exe
    C:\Windows\Debug\mewhost.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    PID:3024

Network

  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.baidu.com
    mewhost.exe
    Remote address:
    8.8.8.8:53
    Request
    www.baidu.com
    IN A
    Response
    www.baidu.com
    IN CNAME
    www.a.shifen.com
    www.a.shifen.com
    IN CNAME
    www.wshifen.com
    www.wshifen.com
    IN A
    103.235.47.188
    www.wshifen.com
    IN A
    103.235.46.96
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    4.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    188.47.235.103.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    188.47.235.103.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    dS0UfcHV6.nnnn.eu.org
    mewhost.exe
    Remote address:
    8.8.8.8:53
    Request
    dS0UfcHV6.nnnn.eu.org
    IN A
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    D8CfRZePjn.nnnn.eu.org
    mewhost.exe
    Remote address:
    8.8.8.8:53
    Request
    D8CfRZePjn.nnnn.eu.org
    IN A
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    nLtri371S1.nnnn.eu.org
    mewhost.exe
    Remote address:
    8.8.8.8:53
    Request
    nLtri371S1.nnnn.eu.org
    IN A
    Response
  • flag-us
    DNS
    N1a2T1b9Cj.nnnn.eu.org
    mewhost.exe
    Remote address:
    8.8.8.8:53
    Request
    N1a2T1b9Cj.nnnn.eu.org
    IN A
    Response
  • flag-us
    DNS
    xhlDkV4Gwx.nnnn.eu.org
    mewhost.exe
    Remote address:
    8.8.8.8:53
    Request
    xhlDkV4Gwx.nnnn.eu.org
    IN A
    Response
  • 103.235.47.188:443
    www.baidu.com
    https
    mewhost.exe
    588 B
     212 B
     6
    5
  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    www.baidu.com
    dns
    mewhost.exe
    59 B
     144 B
     1
    1

    DNS Request

    www.baidu.com

    DNS Response

    103.235.47.188
    103.235.46.96

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    4.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    4.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    188.47.235.103.in-addr.arpa
    dns
    73 B
     161 B
     1
    1

    DNS Request

    188.47.235.103.in-addr.arpa

  • 8.8.8.8:53
    dS0UfcHV6.nnnn.eu.org
    dns
    mewhost.exe
    67 B
     117 B
     1
    1

    DNS Request

    dS0UfcHV6.nnnn.eu.org

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    D8CfRZePjn.nnnn.eu.org
    dns
    mewhost.exe
    68 B
     118 B
     1
    1

    DNS Request

    D8CfRZePjn.nnnn.eu.org

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    nLtri371S1.nnnn.eu.org
    dns
    mewhost.exe
    68 B
     118 B
     1
    1

    DNS Request

    nLtri371S1.nnnn.eu.org

  • 8.8.8.8:53
    N1a2T1b9Cj.nnnn.eu.org
    dns
    mewhost.exe
    68 B
     118 B
     1
    1

    DNS Request

    N1a2T1b9Cj.nnnn.eu.org

  • 8.8.8.8:53
    xhlDkV4Gwx.nnnn.eu.org
    dns
    mewhost.exe
    68 B
     118 B
     1
    1

    DNS Request

    xhlDkV4Gwx.nnnn.eu.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\debug\mewhost.exe
    Filesize

    37KB

    MD5

    e4a4be3091243376f5bf62fd0545a599

    SHA1

    2488524d0da043d1e65973f7c2b945c2c79e807c

    SHA256

    dcda5abafc9a31ea0e60ba1da114afd575fda3d572a266293007081bc449bd57

    SHA512

    1f84cb40e28ed2fce328ac0b00fb1bda9b5bba1a29a73c5b62059e6b47e20a7d8184df2cf082fdf9a6432105012bed1f6314bb66a50a6f7707213e77a6b553cf

    Download Submit

  • memory/2904-0-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2904-6-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3024-7-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3024-10-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3024-13-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3024-16-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3024-19-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.