Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 12:44

General

  • Target

    5c3a5108cb13a9cf6aee2ce4962c780e431eb3be5f776fd57992b2e4305c239bN.exe

  • Size

    114KB

  • MD5

    ae4ef3ccdb7b4e105c23f6b099ec4cb0

  • SHA1

    3d75d4bda09cdf917ef36fb25e831ef9d1782c5c

  • SHA256

    5c3a5108cb13a9cf6aee2ce4962c780e431eb3be5f776fd57992b2e4305c239b

  • SHA512

    b49a409c48cf99cb7615434225506849d7dfcca1bcc5cab923dffff381d696a71726a19542783c5b17e6113c480ebc93146d4bcf30c3439934ec075044a6d921

  • SSDEEP

    3072:zZjurA1K+w7KMuu1F+/jmSkmngV5CvMabvl:1V9pj/2+2QDbt

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 4 IoCs
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c3a5108cb13a9cf6aee2ce4962c780e431eb3be5f776fd57992b2e4305c239bN.exe
    "C:\Users\Admin\AppData\Local\Temp\5c3a5108cb13a9cf6aee2ce4962c780e431eb3be5f776fd57992b2e4305c239bN.exe"
    1⤵
    • Modifies firewall policy service
    • Adds policy Run key to start application
    • Sets service image path in registry
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    PID:4432

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\msrpc.exe

          Filesize

          114KB

          MD5

          3d7392f76cc32c515715ee39605d59e1

          SHA1

          c8807f4a744959f80718ff9ba6a6d0468220f72b

          SHA256

          7e782400d26a7cb395b6a862f4c2fd9cb634bec337f9f5579704c83cf3fef333

          SHA512

          23e4699d9d40cc16473b352d92a489c5509d4e72aee4c674d58a88990d669d7a4814ef731b478a583a3c91aad3d451670df34d548e77a76342dea1fef6d2f38a

        • memory/4432-0-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4432-17-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4432-18-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4432-19-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB