Overview

overview

7

Static

static

3

6d07416909...46.exe

windows7-x64

3

6d07416909...46.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2024 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d074169094c2f3bdeeb488609460161a451d1598096929d656858e0e7b79e46.exe

  • Size

    1.1MB

  • MD5

    2fddcf05302c2df225a86a20e14442b5

  • SHA1

    ab395a3fcf182764d88c2d6f318893d2ed68d43f

  • SHA256

    6d074169094c2f3bdeeb488609460161a451d1598096929d656858e0e7b79e46

  • SHA512

    7b820f8b798098c7bd0eb640332110e1d81010fff69c2e5ad467d556ea042b614ffee8e6c745d0ec537d2046d306d674d13d81728a7980d9b582e524f0f024f3

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QQ:acallSllG4ZM7QzMH

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d074169094c2f3bdeeb488609460161a451d1598096929d656858e0e7b79e46.exe
    "C:\Users\Admin\AppData\Local\Temp\6d074169094c2f3bdeeb488609460161a451d1598096929d656858e0e7b79e46.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    753B

    MD5

    7d445c8c45e3f93434e3822ea3dd20ab

    SHA1

    22c9a25565b063299bf0cc901d5e776ed6ecfa5f

    SHA256

    4b99f49c120183e3024dbf2168f889c58c60f22a3a2bf293eea968b017d69538

    SHA512

    db6940ab9394ebf22abeb0cd056d2a39c5da1b67473c01e98db74b0153516770a096d09db1721f777da40437eb95d53628b948d16c8178e5562e5fe893cbebaf

    Download Submit

  • memory/5000-0-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/5000-9-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

    Download