Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 16:48

General

  • Target

    59670e0da7ab843887efdd611306c7d6c05f061c4e08bb545ccb3836f7ce1c6dN.exe

  • Size

    1.7MB

  • MD5

    d0a2ce9c3713480f80a4ba511d926e10

  • SHA1

    6b4bcb74a6303b50f9360f44af9301debdae57e7

  • SHA256

    59670e0da7ab843887efdd611306c7d6c05f061c4e08bb545ccb3836f7ce1c6d

  • SHA512

    b83cf9567617b86beef564709d48e44be007c6104dd1553fca66207882764324c87ace82f674c5beb0c2f9eb8a3a8a56f3f2546e8a0618e6f145140a1e5f26a4

  • SSDEEP

    24576:OXdVtTj2i64T+jdxQCfgOFD3WSwd2QtBBw6xxhVxQtmibjOhZaiRu/4oMaop0UNz:mbTChxKCnFnQXBbrtgb/iQvu0UHOq

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59670e0da7ab843887efdd611306c7d6c05f061c4e08bb545ccb3836f7ce1c6dN.exe
    "C:\Users\Admin\AppData\Local\Temp\59670e0da7ab843887efdd611306c7d6c05f061c4e08bb545ccb3836f7ce1c6dN.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4320
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4152
      • C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1412
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3736
          • C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 1412
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2108
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3308
              • C:\Users\Admin\AppData\Local\Temp\wtmps.exe
                "C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2840
                • C:\Windows\SysWOW64\mscaps.exe
                  "C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
                  8⤵
                  • Executes dropped EXE
                  PID:4408
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8349.tmp

    Filesize

    406B

    MD5

    37512bcc96b2c0c0cf0ad1ed8cfae5cd

    SHA1

    edf7f17ce28e1c4c82207cab8ca77f2056ea545c

    SHA256

    27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f

    SHA512

    6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641

  • C:\Users\Admin\AppData\Local\Temp\wtmps.exe

    Filesize

    276KB

    MD5

    75c1467042b38332d1ea0298f29fb592

    SHA1

    f92ea770c2ddb04cf0d20914578e4c482328f0f8

    SHA256

    3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373

    SHA512

    5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

    Filesize

    172KB

    MD5

    daac1781c9d22f5743ade0cb41feaebf

    SHA1

    e2549eeeea42a6892b89d354498fcaa8ffd9cac4

    SHA256

    6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c

    SHA512

    190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

  • C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

    Filesize

    1.2MB

    MD5

    e2e93857f8ea5ff3130d5779e559bcb5

    SHA1

    aeeb643eb80aae49caa357f9cf4c4157a339a845

    SHA256

    f9b0f6d989db651bb433efc0ed90ab758d17c0d738a703a8218cf7e9d3847580

    SHA512

    d9aeec44b8f464cff0f0b48de58b65385f39cd53daa8b893241e2c3169033cbe75e03650df47f524007e0b61361e20745ced483b832e62248065066f0b4504bd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

    Filesize

    1.7MB

    MD5

    3d165846ea6a86c9850c254e0cd012cd

    SHA1

    cafbf4f01e7a5ed2e1fa0efb4762ae84589cf85a

    SHA256

    b886c36c06e0712e1d3e72700d47ff43fafe89dd9d41274a9ddf1e0ec808e439

    SHA512

    63818d2fe265ef79c4f8ea21c786fb94f2879bf4f8ac2285009b3f80fa2290e0f7d24e61bb4a2eab4c775899a0de70b7b714ee62f347796a620cf3d0b2966ac2

  • C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

    Filesize

    129B

    MD5

    d1073c9b34d1bbd570928734aacff6a5

    SHA1

    78714e24e88d50e0da8da9d303bec65b2ee6d903

    SHA256

    b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

    SHA512

    4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

  • C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

    Filesize

    304B

    MD5

    fb6b21742affc21307818e4c3d1bcfec

    SHA1

    158898d3e999db397fa5d42e1967dfb287e13566

    SHA256

    2996c755a0970493cb10d72d2ba86fcf1fdcb925d4c660b869ca6289a4f7e95a

    SHA512

    18e6d76ef737e6ba7ca32eb589a3850a17a3d7445619ece06ad1dde34b47782a45bc3a70951f5df8c632061951f0418b0b56d7d3df1b39024088f347f437ae0a

  • C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

    Filesize

    126B

    MD5

    b3263e14706f0a89ce18bb2cddd794e4

    SHA1

    794b3b74135923d476c00b42e5a3d0fb2931fca2

    SHA256

    dee0cfbd6e43cc4093e53c3eb8c0a9ab42e3eab1950622aa2d4eece34a364694

    SHA512

    d268489ecd1c8422ab3706dd2e8d428ebe79d764ef54c4752c76281de75be5c8c1ad746529ad66536f24a306c12bf57c67484b19151d87e5ffebac07ce136982

  • C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

    Filesize

    102B

    MD5

    3ca08f080a7a28416774d80552d4aa08

    SHA1

    0b5f0ba641204b27adac4140fd45dce4390dbf24

    SHA256

    4e7d460b8dc9f2c01b4c5a16fb956aced10127bc940e8039a80c6455901ea1f0

    SHA512

    0c64aa462ff70473ef763ec392296fe0ea59b5340c26978531a416732bc3845adf9ca7b673cb7b4ba40cc45674351206096995c43600fccbbbe64e51b6019f01

  • C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

    Filesize

    388KB

    MD5

    e1e47695a0b98432911311352b63eaed

    SHA1

    836142e550301e0fc13c1a047aae5a2f4481d7cd

    SHA256

    c67ed34d9254b31e611ee830125c3f2572a1e686f82deb69e1580fb9a4614cd0

    SHA512

    da49234ee2e1d8f9956ba59d4a49fe04d3ab154f5dd60cf7a6c72e9d42defe8a4b0aeb38845444fe3a8d9c80976467d2101f7c992a48f98f6a9317d0e61ca961

  • C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

    Filesize

    388KB

    MD5

    8d7db101a7211fe3309dc4dc8cf2dd0a

    SHA1

    6c2781eadf53b3742d16dab2f164baf813f7ac85

    SHA256

    93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a

    SHA512

    8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

  • C:\Windows\SysWOW64\mscaps.exe

    Filesize

    200KB

    MD5

    78d3c8705f8baf7d34e6a6737d1cfa18

    SHA1

    9f09e248a29311dbeefae9d85937b13da042a010

    SHA256

    2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905

    SHA512

    9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

  • memory/4320-0-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB