Overview

overview

7

Static

static

3

83dfdef199...d5.exe

windows7-x64

7

83dfdef199...d5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    50s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2024, 04:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83dfdef1999c80ec447f6a3acfb8ab64333cf2c9d012a9d7b37d90eca07d3bd5.exe

  • Size

    78KB

  • MD5

    0c3836e824cb3ad3d48f56318cbfde84

  • SHA1

    70fbdd54c95b26bf6817d65f5dfc395f25ca0d43

  • SHA256

    83dfdef1999c80ec447f6a3acfb8ab64333cf2c9d012a9d7b37d90eca07d3bd5

  • SHA512

    4a8ae1e72e22fdbf1c7ff02789e36ae90448b76cb3546a6e978aefbd2d6b1366136bd268e75d8d134efae0431555fd36f3b51d9c455f7e1bb0fb21976a74c466

  • SSDEEP

    1536:0eNbbLsha0pLXtdNWm2uNYhm1cSMehm1s/XZIG:0eNwDpXt7CLSMehm2/XZh

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83dfdef1999c80ec447f6a3acfb8ab64333cf2c9d012a9d7b37d90eca07d3bd5.exe
    "C:\Users\Admin\AppData\Local\Temp\83dfdef1999c80ec447f6a3acfb8ab64333cf2c9d012a9d7b37d90eca07d3bd5.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Users\Admin\appdata\local\temp\winlgon.exe
      "C:\Users\Admin\appdata\local\temp\winlgon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\winlgon.exe
    Filesize

    78KB

    MD5

    d189aa571b9c6b34130a3d6f5c2b23a5

    SHA1

    62916c3bedc7222956a6b50c1675b1e13b263473

    SHA256

    c8f2dc6bdad5c64f46ea2fdee0a12be19848ab4fcda994183bebad074741609a

    SHA512

    9d254f25bd3f2942f7d8224045822f9e57e27807cffcb87f794749dd228235b1921410f4eb18b7bd9dc19f77dd46e3a342acd2e68cbc4a0a6b06f3e654ff0d44

    Download Submit