Overview

overview

7

Static

static

3

d9ad0ed4bc...80.exe

windows7-x64

6

d9ad0ed4bc...80.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 03:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d9ad0ed4bc5a64761993e5742b7f80a6b98a3eb13866d830eefe527d56b7b280.exe

  • Size

    172KB

  • MD5

    836f47db0811046178129bbe3097aa7d

  • SHA1

    a63d6916c8e663e80f76c51b389a3c7cec60d49c

  • SHA256

    d9ad0ed4bc5a64761993e5742b7f80a6b98a3eb13866d830eefe527d56b7b280

  • SHA512

    3f1c1ab2b2f12ed6ee11ebfb983c4a52e96e9598310dc6bb706795442082a5037a4b79d15912bf52e3ac0062483bee6ba0d1446177f142a7888a2343b4029bae

  • SSDEEP

    3072:d14mOxrKFNZYhrgtRFuV2DDbuiTf3hPsOraS87FYqjTZbn4TGh:dnYWYhrgtRo6DSiTf3hPswa1TZjxh

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9ad0ed4bc5a64761993e5742b7f80a6b98a3eb13866d830eefe527d56b7b280.exe
    "C:\Users\Admin\AppData\Local\Temp\d9ad0ed4bc5a64761993e5742b7f80a6b98a3eb13866d830eefe527d56b7b280.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\SysWOW64\backgroundTaskHost.exe
      "backgroundTaskHost.exe"
      2⤵
      • Adds Run key to start application
      • Checks for any installed AV software in registry
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1360
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\cjkA29E.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\d9ad0ed4bc5a64761993e5742b7f80a6b98a3eb13866d830eefe527d56b7b280.exe""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\d9ad0ed4bc5a64761993e5742b7f80a6b98a3eb13866d830eefe527d56b7b280.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1972

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\ddh8dbfj4f.exe
          Filesize

          172KB

          MD5

          3cf5abe2c8aff957ba1e86c7fefecdcc

          SHA1

          dbec05259aecfc73695ddcddc0705497995db1d5

          SHA256

          98119cbdcfe616afaf68b23cbb3b05d282008e9ecf67fb6dc9814196bf1c745c

          SHA512

          82505c65250a1d388c1a457fddc6dde80ef141dae91987e1dfd6b9de06b8d8f848675afd6bdf0d6e94a21909e06e8cfe62a3f1fd93405f2578e264774bac32e9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\3492473cd35c8bdceed8
          Filesize

          29B

          MD5

          ab20df5255f7c137ebfe6b7b0ac85f47

          SHA1

          d7810d1fbcc9786ce781f560f9b1cd1c7dc0cb41

          SHA256

          f6c6e167293e2a21eff85c78df2f9bf7e139981cfa1b377d20285f4c8ed09132

          SHA512

          11541a90b6b6c1af561c5df6a0176b7e372e0766ac57770422f1d50df201bd39cfe2e6feec0e37c6aa54f2a2b46b57f61e4dae0f569b4c1648058a76a0163b23

          Download Submit

        • C:\Users\Admin\AppData\Local\cjkA29E.tmp.bat
          Filesize

          59B

          MD5

          81be4344ed82df2fdc8cc2a7bedc1ddd

          SHA1

          c5d43e904fff300b5b575f3f989b3b6d13386a58

          SHA256

          21b302506d6dbf0a02eeb254a194cb2f7c64b2a24b22a2322f6edcfa57ed06b1

          SHA512

          8b19b40a68a237659713d9277e168de944d67e8dd5ff6e686a126edd6f0c38b9750e613d824bb24e1dda76b46d06488d0aa8f2f04fa9139ade57a6602d486fd3

          Download Submit

        • memory/1360-303-0x0000000000E20000-0x0000000000E97000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1360-301-0x0000000000E20000-0x0000000000E97000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1360-298-0x0000000000E20000-0x0000000000E97000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1360-293-0x0000000000E20000-0x0000000000E97000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1360-307-0x0000000000E20000-0x0000000000E97000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1360-4-0x0000000000840000-0x0000000000841000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1360-131-0x0000000000E20000-0x0000000000E97000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1360-295-0x0000000000D20000-0x0000000000E20000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1360-359-0x0000000000E20000-0x0000000000E97000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1360-704-0x0000000000D20000-0x0000000000E20000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1360-6-0x0000000000E20000-0x0000000000E97000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1360-688-0x0000000000E20000-0x0000000000E97000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1360-703-0x0000000002A80000-0x0000000002A81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3028-685-0x0000000003690000-0x0000000003707000-memory.dmp

          Filesize

          476KB

          Download