Overview

overview

10

Static

static

7

0hS8ndFapM...Jf.exe

windows7-x64

10

0hS8ndFapM...Jf.exe

windows10-2004-x64

10

0rr48RlGuy...xg.exe

windows7-x64

8

0rr48RlGuy...xg.exe

windows10-2004-x64

8

21oenuW1qn...e5.exe

windows7-x64

10

21oenuW1qn...e5.exe

windows10-2004-x64

10

25jZMPTiQq...9r.exe

windows7-x64

10

25jZMPTiQq...9r.exe

windows10-2004-x64

10

28NEs4WOAb...Dx.exe

windows7-x64

9

28NEs4WOAb...Dx.exe

windows10-2004-x64

9

2DWwzYoIDs...wH.exe

windows7-x64

10

2DWwzYoIDs...wH.exe

windows10-2004-x64

10

4sqg3EO3n4...E3.exe

windows7-x64

10

4sqg3EO3n4...E3.exe

windows10-2004-x64

10

6IvhC9RrHt...Qm.exe

windows7-x64

10

6IvhC9RrHt...Qm.exe

windows10-2004-x64

10

6K69WRpYoP...wA.exe

windows7-x64

3

6K69WRpYoP...wA.exe

windows10-2004-x64

7

6RVcR1WSzn...fp.exe

windows7-x64

3

6RVcR1WSzn...fp.exe

windows10-2004-x64

7

7UwyHmKx00...KA.exe

windows7-x64

9

7UwyHmKx00...KA.exe

windows10-2004-x64

9

88wncypnTK...tt.exe

windows7-x64

88wncypnTK...tt.exe

windows10-2004-x64

1

8Jw_RggGj5...71.exe

windows7-x64

7

8Jw_RggGj5...71.exe

windows10-2004-x64

7

A04WVFPeCH...H9.exe

windows7-x64

10

A04WVFPeCH...H9.exe

windows10-2004-x64

10

A5ulgq_bFX...0Z.exe

windows7-x64

10

A5ulgq_bFX...0Z.exe

windows10-2004-x64

10

AU3ie6Mv1v...zZ.exe

windows7-x64

10

AU3ie6Mv1v...zZ.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 12:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0rr48RlGuyf8MbsABD4Fd5xg.exe

  • Size

    1.1MB

  • MD5

    3b4348d187f24c82370836531f3fa94e

  • SHA1

    a2ca4e9f4a8d9c8634e42765e90e252803e20b15

  • SHA256

    cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7

  • SHA512

    2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394

  • SSDEEP

    24576:eDTLDJqGd+zowht2zmctw1CdvHh82JdjGY6LvxwAgRp54+/jrNtIf:qzdkBTce1CxHh8mlGY6LJBu54MjJaf

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe
    "C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE ( CrEaTeobjeCt ( "WsCRIPt.SHELl" ). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN ( ""C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"" ) do taskkill -im ""%~NXj"" -f " , 0 , tRue ) )
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ( "C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe" ) do taskkill -im "%~NXj" -f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
          Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3596
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE ( CrEaTeobjeCt ( "WsCRIPt.SHELl" ). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF ""-PMrvgB7ejl2YIjc3PC8aTZbo"" == """" for %j iN ( ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" ) do taskkill -im ""%~NXj"" -f " , 0 , tRue ) )
            5⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4140
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "-PMrvgB7ejl2YIjc3PC8aTZbo" == "" for %j iN ( "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" ) do taskkill -im "%~NXj" -f
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4972
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\System32\rundll32.exe" .\HwWYSzK.F2,zgr
            5⤵
            • Blocklisted process makes network request
            • Checks computer location settings
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4588
            • C:\Users\Admin\AppData\Local\Temp\e5888e2.exe
              "C:\Users\Admin\AppData\Local\Temp\e5888e2.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4144
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 804
                7⤵
                • Program crash
                PID:3568
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill -im "0rr48RlGuyf8MbsABD4Fd5xg.exe" -f
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3164
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4144 -ip 4144
    1⤵
      PID:2612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\HwWYSzK.F2
      Filesize

      1.3MB

      MD5

      8586e83a33f4c1b8d81f568155663be7

      SHA1

      95a37fbaeb58fafbe14dfae8f539aeff509efb1f

      SHA256

      85ec523c939d552531246b8fe2f795b4623e1108945824525d549fda22d2afb9

      SHA512

      51aafad0bc8cd058196c042dab1c000a62a13caeaf5e432e2e7c5f8452b36e4e3a64e66b0aa9a981979edacc37c581957448a00ac5bd154e8081c06eb0de442f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
      Filesize

      1.1MB

      MD5

      3b4348d187f24c82370836531f3fa94e

      SHA1

      a2ca4e9f4a8d9c8634e42765e90e252803e20b15

      SHA256

      cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7

      SHA512

      2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\e5888e2.exe
      Filesize

      21KB

      MD5

      858939a54a0406e5be7220b92b6eb2b3

      SHA1

      da24c0b6f723a74a8ec59e58c9c0aea3e86b7109

      SHA256

      a30f30a109cb78d5eb1969f6c13f01a1e0a5f07b7ad8b133f5d2616223c1ce0a

      SHA512

      8875d1e43ea59314695747796894a2f171e92f7b04024dbc529af1497331489e279cd06ea03061288089d2f07ad437178b9d62f0bae2e16ae0b95c5681569401

      Download Submit

    • memory/4144-41-0x0000000000930000-0x0000000000938000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4588-19-0x0000000003DD0000-0x0000000003E65000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4588-14-0x0000000000400000-0x0000000000547000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4588-17-0x0000000003470000-0x000000000350D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/4588-18-0x0000000003510000-0x0000000003DCE000-memory.dmp

      Filesize

      8.7MB

      Download

    • memory/4588-13-0x0000000003470000-0x000000000350D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/4588-21-0x0000000003E70000-0x0000000003F01000-memory.dmp

      Filesize

      580KB

      Download

    • memory/4588-23-0x0000000003E70000-0x0000000003F01000-memory.dmp

      Filesize

      580KB

      Download

    • memory/4588-20-0x0000000003E70000-0x0000000003F01000-memory.dmp

      Filesize

      580KB

      Download

    • memory/4588-24-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4588-25-0x0000000000CA0000-0x0000000000CA4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/4588-26-0x0000000000CB0000-0x0000000000CB6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4588-10-0x0000000003470000-0x000000000350D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/4588-9-0x00000000033B0000-0x0000000003461000-memory.dmp

      Filesize

      708KB

      Download