Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
eb3b563b8cc82f30b01b08edbd1d5b64dc468ab2680dcbf718fc63a2fe628910N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eb3b563b8cc82f30b01b08edbd1d5b64dc468ab2680dcbf718fc63a2fe628910N.exe
Resource
win10v2004-20241007-en
General
-
Target
eb3b563b8cc82f30b01b08edbd1d5b64dc468ab2680dcbf718fc63a2fe628910N.exe
-
Size
37KB
-
MD5
a057e03b494fad24de1748180e68e720
-
SHA1
5b3d46ebc0e789bdb4cf471883e9c192a65580c6
-
SHA256
eb3b563b8cc82f30b01b08edbd1d5b64dc468ab2680dcbf718fc63a2fe628910
-
SHA512
d144b2f319bdb3c267ab8b68dc93c00cdcb4d41894b7f1f838da2d584c19c3938f353151b600b2e98dcbd38b02827b04f7ab05c1a49b571f387a1ef92aa62139
-
SSDEEP
768:Q3NXvkkRfDjHXRrs9sINeZEtejlIkoLN127BFVn2p4lAnZ8Oo+xNPDbRdvid6eex:EdbjXRrs9sINeZEtejlIkoLN127BFVn0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eb3b563b8cc82f30b01b08edbd1d5b64dc468ab2680dcbf718fc63a2fe628910N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation eb3b563b8cc82f30b01b08edbd1d5b64dc468ab2680dcbf718fc63a2fe628910N.exe -
Executes dropped EXE 1 IoCs
Processes:
realupdater.exepid process 3308 realupdater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
eb3b563b8cc82f30b01b08edbd1d5b64dc468ab2680dcbf718fc63a2fe628910N.exerealupdater.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb3b563b8cc82f30b01b08edbd1d5b64dc468ab2680dcbf718fc63a2fe628910N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language realupdater.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
eb3b563b8cc82f30b01b08edbd1d5b64dc468ab2680dcbf718fc63a2fe628910N.exedescription pid process target process PID 2928 wrote to memory of 3308 2928 eb3b563b8cc82f30b01b08edbd1d5b64dc468ab2680dcbf718fc63a2fe628910N.exe realupdater.exe PID 2928 wrote to memory of 3308 2928 eb3b563b8cc82f30b01b08edbd1d5b64dc468ab2680dcbf718fc63a2fe628910N.exe realupdater.exe PID 2928 wrote to memory of 3308 2928 eb3b563b8cc82f30b01b08edbd1d5b64dc468ab2680dcbf718fc63a2fe628910N.exe realupdater.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb3b563b8cc82f30b01b08edbd1d5b64dc468ab2680dcbf718fc63a2fe628910N.exe"C:\Users\Admin\AppData\Local\Temp\eb3b563b8cc82f30b01b08edbd1d5b64dc468ab2680dcbf718fc63a2fe628910N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\realupdater.exe"C:\Users\Admin\AppData\Local\Temp\realupdater.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5ace23b26499e51b0741c2dec3a0e6d7c
SHA107d6351ee256cd86ebc3fba456daba77ee024eae
SHA256726135d6bb9c16a6d027c10c108d46bd543a47770f8c7646229421541826164d
SHA51213047d975427f77875572d26f6b90cf96b50e979210be910071c04da9ac065aae5abf46544340ab15ebe2998906f8e0af44b31bd2ee31c4b98ce2ac87db02396