Analysis

  • max time kernel
    93s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2024 14:10

General

  • Target

    dropdrop part 2.exe

  • Size

    29KB

  • MD5

    a442915d156696bfbba8a83de1e57359

  • SHA1

    c94294d815c19ad80cb46dcd16b008e47365bdd4

  • SHA256

    e8121e6e976b91ee3a249446d228654cccfd3d22ccee958bfa583e5c00dc8152

  • SHA512

    fd05a999e602144d16d54a3e91702220c0f8bfaf737e6735448d69993efae1d95f784878f549a4159e936c7da856adf2bf90f1f48696f952b8fcff33b4ffd1e7

  • SSDEEP

    384:5daHArEY71hjWD0nytjRwgVfQaEg6qcldBmMgy2SciHEKPhScLaEFa9TUx6:faHYWDVjKgVf1mngyfFHG+X85Ux

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dropdrop part 2.exe
    "C:\Users\Admin\AppData\Local\Temp\dropdrop part 2.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:3576
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:516
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic diskdrive get Model
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
      • C:\Windows\system32\findstr.exe
        findstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK"
        3⤵
          PID:4724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat

      Filesize

      5.0MB

      MD5

      eb790c439e5d1d22b7c38d882b0ba1e2

      SHA1

      5b8a3513483508fbf0cf87c74fa68ff6b4001f0a

      SHA256

      cc76762d502715085bec639150acb04dc63f24c4b9e060be7b083b141b1990bf

      SHA512

      c62d36ea9980108ae3753d6c35d0b32ae26d07b9feab1749c722c7cfda18c310f0f76c46d0e7b2c1f0be653d6be706cba0146ff0fa4c64ca7494668a94469a17