Overview

overview

7

Static

static

3

3088b0302d...e6.exe

windows7-x64

7

3088b0302d...e6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3088b0302d4b38c63ef4fead57aa6049da2cc62bf9f4a5d9331552c84fe516e6.exe

  • Size

    26KB

  • MD5

    0e926b28fc49f6259a70c032ae83cd14

  • SHA1

    abb5856b3853cfe4ecc5e25ff1a7aa605afac007

  • SHA256

    3088b0302d4b38c63ef4fead57aa6049da2cc62bf9f4a5d9331552c84fe516e6

  • SHA512

    1f4306c38e6604f3945a4d1215576ee81514c34757318035d9220fb81da5bb4f39d23b8a22f404902fe3e67f0326a1f9ff45dc6ce8d3a41a69aab54de488fb77

  • SSDEEP

    384:BvV0KF7OERZOTPx3hd/N7az/bCKQIRB1F7M9ekamfrqEjDEFCFUa0gW71JBr:B9LZOTPxNG5z7uTqVCFUa0gWR

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 64 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3088b0302d4b38c63ef4fead57aa6049da2cc62bf9f4a5d9331552c84fe516e6.exe
    "C:\Users\Admin\AppData\Local\Temp\3088b0302d4b38c63ef4fead57aa6049da2cc62bf9f4a5d9331552c84fe516e6.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4260
    • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\UUSIService.exe
      "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\UUSIService.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\EdgeUpdaters.exe
        "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\EdgeUpdaters.exe" --checker
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\UUSIService.exe
    Filesize

    26KB

    MD5

    0e926b28fc49f6259a70c032ae83cd14

    SHA1

    abb5856b3853cfe4ecc5e25ff1a7aa605afac007

    SHA256

    3088b0302d4b38c63ef4fead57aa6049da2cc62bf9f4a5d9331552c84fe516e6

    SHA512

    1f4306c38e6604f3945a4d1215576ee81514c34757318035d9220fb81da5bb4f39d23b8a22f404902fe3e67f0326a1f9ff45dc6ce8d3a41a69aab54de488fb77

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UUSIService_def1b287201f4ce6b78a462cd62db096.lnk
    Filesize

    1KB

    MD5

    7dc50a03fb60a0b3b1d5a888cca9345d

    SHA1

    268a2bdc8260343ac0212f2a6eebf34c2a3e81ae

    SHA256

    41200444434c8d141623af60dfd1bf76d9402abe59456b0e8858cfbf78832198

    SHA512

    8a80b58ba8ff635acb221c42422bf89845b49de93a6010f09586d69091e79786591d35521650f5deaccf2c024f9cf9ca8d8231626979fda56aaef7742c3c7d87

    Download Submit

  • memory/1072-22-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1072-23-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1072-52-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1072-55-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4260-4-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4260-1-0x0000000000640000-0x000000000064C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4260-21-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4260-0-0x000000007483E000-0x000000007483F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4476-37-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4476-38-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4476-60-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4476-63-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download