Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 16:42
Static task
static1
Behavioral task
behavioral1
Sample
87116c9c8b3896216d763178a26277ed5ce162217141f7f6025063392d932057.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
87116c9c8b3896216d763178a26277ed5ce162217141f7f6025063392d932057.exe
Resource
win10v2004-20241007-en
General
-
Target
87116c9c8b3896216d763178a26277ed5ce162217141f7f6025063392d932057.exe
-
Size
255KB
-
MD5
788694b7baa26fb737137e7269716a0c
-
SHA1
28d2a6a371d2a6a97bb805aa6c4fc42b5218333f
-
SHA256
87116c9c8b3896216d763178a26277ed5ce162217141f7f6025063392d932057
-
SHA512
e037c1377607ce487fb83cd6dabaec5548398c3fb14d7d503e8b4b03fef94c1f74c7f8d778549a43e0ce6390078f205480ed48e2df8271a48caaab67f9e60992
-
SSDEEP
6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQqW:EeGUA5YZazpXUmZhJW
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 87116c9c8b3896216d763178a26277ed5ce162217141f7f6025063392d932057.exe -
Executes dropped EXE 1 IoCs
pid Process 368 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" 87116c9c8b3896216d763178a26277ed5ce162217141f7f6025063392d932057.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 87116c9c8b3896216d763178a26277ed5ce162217141f7f6025063392d932057.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1304 wrote to memory of 368 1304 87116c9c8b3896216d763178a26277ed5ce162217141f7f6025063392d932057.exe 100 PID 1304 wrote to memory of 368 1304 87116c9c8b3896216d763178a26277ed5ce162217141f7f6025063392d932057.exe 100 PID 1304 wrote to memory of 368 1304 87116c9c8b3896216d763178a26277ed5ce162217141f7f6025063392d932057.exe 100 PID 368 wrote to memory of 2164 368 a1punf5t2of.exe 101 PID 368 wrote to memory of 2164 368 a1punf5t2of.exe 101 PID 368 wrote to memory of 2164 368 a1punf5t2of.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\87116c9c8b3896216d763178a26277ed5ce162217141f7f6025063392d932057.exe"C:\Users\Admin\AppData\Local\Temp\87116c9c8b3896216d763178a26277ed5ce162217141f7f6025063392d932057.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵PID:2164
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD57cbde7fbbce29cfaece6573950cf5976
SHA1767e39c757b1106c02353b4a421b6e5acc959823
SHA256f87b725d1d32dfe5c45c6c5cc28598b49dd5ad574acb67ec6cd7e40d5bc3ac32
SHA5128a02cc007947c8baf10cdc7a054fdce72e0ce2afdeb70fd4c92113cb93fec99ec10cfefaf395632dbec95228e5ef91ddeb2efe8b721df42cd8253555ce4e9828