Overview

overview

10

Static

static

7

0hS8ndFapM...Jf.exe

windows7-x64

10

0hS8ndFapM...Jf.exe

windows10-2004-x64

10

0rr48RlGuy...xg.exe

windows7-x64

8

0rr48RlGuy...xg.exe

windows10-2004-x64

8

21oenuW1qn...e5.exe

windows7-x64

10

21oenuW1qn...e5.exe

windows10-2004-x64

10

25jZMPTiQq...9r.exe

windows7-x64

10

25jZMPTiQq...9r.exe

windows10-2004-x64

10

28NEs4WOAb...Dx.exe

windows7-x64

9

28NEs4WOAb...Dx.exe

windows10-2004-x64

9

2DWwzYoIDs...wH.exe

windows7-x64

10

2DWwzYoIDs...wH.exe

windows10-2004-x64

10

4sqg3EO3n4...E3.exe

windows7-x64

10

4sqg3EO3n4...E3.exe

windows10-2004-x64

10

6IvhC9RrHt...Qm.exe

windows7-x64

10

6IvhC9RrHt...Qm.exe

windows10-2004-x64

10

6K69WRpYoP...wA.exe

windows7-x64

3

6K69WRpYoP...wA.exe

windows10-2004-x64

7

6RVcR1WSzn...fp.exe

windows7-x64

3

6RVcR1WSzn...fp.exe

windows10-2004-x64

7

7UwyHmKx00...KA.exe

windows7-x64

9

7UwyHmKx00...KA.exe

windows10-2004-x64

9

88wncypnTK...tt.exe

windows7-x64

88wncypnTK...tt.exe

windows10-2004-x64

1

8Jw_RggGj5...71.exe

windows7-x64

7

8Jw_RggGj5...71.exe

windows10-2004-x64

7

A04WVFPeCH...H9.exe

windows7-x64

10

A04WVFPeCH...H9.exe

windows10-2004-x64

10

A5ulgq_bFX...0Z.exe

windows7-x64

10

A5ulgq_bFX...0Z.exe

windows10-2004-x64

10

AU3ie6Mv1v...zZ.exe

windows7-x64

10

AU3ie6Mv1v...zZ.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0rr48RlGuyf8MbsABD4Fd5xg.exe

  • Size

    1.1MB

  • MD5

    3b4348d187f24c82370836531f3fa94e

  • SHA1

    a2ca4e9f4a8d9c8634e42765e90e252803e20b15

  • SHA256

    cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7

  • SHA512

    2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394

  • SSDEEP

    24576:eDTLDJqGd+zowht2zmctw1CdvHh82JdjGY6LvxwAgRp54+/jrNtIf:qzdkBTce1CxHh8mlGY6LJBu54MjJaf

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe
    "C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE ( CrEaTeobjeCt ( "WsCRIPt.SHELl" ). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN ( ""C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"" ) do taskkill -im ""%~NXj"" -f " , 0 , tRue ) )
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ( "C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe" ) do taskkill -im "%~NXj" -f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4552
        • C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
          Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3084
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE ( CrEaTeobjeCt ( "WsCRIPt.SHELl" ). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF ""-PMrvgB7ejl2YIjc3PC8aTZbo"" == """" for %j iN ( ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" ) do taskkill -im ""%~NXj"" -f " , 0 , tRue ) )
            5⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5088
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "-PMrvgB7ejl2YIjc3PC8aTZbo" == "" for %j iN ( "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" ) do taskkill -im "%~NXj" -f
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3948
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\System32\rundll32.exe" .\HwWYSzK.F2,zgr
            5⤵
            • Blocklisted process makes network request
            • Checks computer location settings
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1740
            • C:\Users\Admin\AppData\Local\Temp\e58b8cc.exe
              "C:\Users\Admin\AppData\Local\Temp\e58b8cc.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1844
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 804
                7⤵
                • Program crash
                PID:2432
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill -im "0rr48RlGuyf8MbsABD4Fd5xg.exe" -f
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1056
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1844 -ip 1844
    1⤵
      PID:2660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\HwWYSzK.F2
      Filesize

      1.3MB

      MD5

      8586e83a33f4c1b8d81f568155663be7

      SHA1

      95a37fbaeb58fafbe14dfae8f539aeff509efb1f

      SHA256

      85ec523c939d552531246b8fe2f795b4623e1108945824525d549fda22d2afb9

      SHA512

      51aafad0bc8cd058196c042dab1c000a62a13caeaf5e432e2e7c5f8452b36e4e3a64e66b0aa9a981979edacc37c581957448a00ac5bd154e8081c06eb0de442f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
      Filesize

      1.1MB

      MD5

      3b4348d187f24c82370836531f3fa94e

      SHA1

      a2ca4e9f4a8d9c8634e42765e90e252803e20b15

      SHA256

      cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7

      SHA512

      2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\e58b8cc.exe
      Filesize

      21KB

      MD5

      858939a54a0406e5be7220b92b6eb2b3

      SHA1

      da24c0b6f723a74a8ec59e58c9c0aea3e86b7109

      SHA256

      a30f30a109cb78d5eb1969f6c13f01a1e0a5f07b7ad8b133f5d2616223c1ce0a

      SHA512

      8875d1e43ea59314695747796894a2f171e92f7b04024dbc529af1497331489e279cd06ea03061288089d2f07ad437178b9d62f0bae2e16ae0b95c5681569401

      Download Submit

    • memory/1740-20-0x0000000003970000-0x000000000422E000-memory.dmp

      Filesize

      8.7MB

      Download

    • memory/1740-22-0x00000000042D0000-0x0000000004361000-memory.dmp

      Filesize

      580KB

      Download

    • memory/1740-15-0x00000000038D0000-0x000000000396D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/1740-16-0x0000000002E30000-0x0000000002F77000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1740-19-0x00000000038D0000-0x000000000396D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/1740-11-0x0000000003810000-0x00000000038C1000-memory.dmp

      Filesize

      708KB

      Download

    • memory/1740-21-0x0000000004230000-0x00000000042C5000-memory.dmp

      Filesize

      596KB

      Download

    • memory/1740-12-0x00000000038D0000-0x000000000396D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/1740-23-0x00000000042D0000-0x0000000004361000-memory.dmp

      Filesize

      580KB

      Download

    • memory/1740-25-0x00000000042D0000-0x0000000004361000-memory.dmp

      Filesize

      580KB

      Download

    • memory/1740-26-0x0000000000F20000-0x0000000000F21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1740-27-0x0000000000F20000-0x0000000000F24000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1740-28-0x0000000000F30000-0x0000000000F36000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1740-10-0x0000000002E30000-0x0000000002F77000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1844-43-0x0000000000760000-0x0000000000768000-memory.dmp

      Filesize

      32KB

      Download