Overview

overview

8

Static

static

3

55646dcc5f...fc.exe

windows7-x64

8

55646dcc5f...fc.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 10:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55646dcc5ff3dff6640506d09fd9ffd270973fd920e29e968531a4b2df1575fc.exe

  • Size

    2.5MB

  • MD5

    e7efb48b374fc3589ec6be9f781716fc

  • SHA1

    6e0d6e82e84385eafc1e7f38b444d4a46de63acc

  • SHA256

    55646dcc5ff3dff6640506d09fd9ffd270973fd920e29e968531a4b2df1575fc

  • SHA512

    8f42efaaf2d56f29779f804cb1df1c8de62ffc86d31d1379d0d658e94702a7300fe9e8df0d5efcbdedf2bbaf2c98fdd0b3ee348f3a4fbea1458c9ac44d155899

  • SSDEEP

    49152:IwbmXVc6q/k62mtrJuQPC/74pEF7qhS3alXRI3NbD/QQ2HG6SHL/8+3:Iwcudy5/748alO9bLkmI

Score
8/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55646dcc5ff3dff6640506d09fd9ffd270973fd920e29e968531a4b2df1575fc.exe
    "C:\Users\Admin\AppData\Local\Temp\55646dcc5ff3dff6640506d09fd9ffd270973fd920e29e968531a4b2df1575fc.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\Admin\AppData\Local\Temp\55646dcc5ff3dff6640506d09fd9ffd270973fd920e29e968531a4b2df1575fc.exe" -instdata "C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3688
      • C:\Users\Admin\AppData\Local\Temp\ExpressAccounts-3532-1\Installer.exe
        C:\Users\Admin\AppData\Local\Temp\ExpressAccounts-3532-1\Installer.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Users\Admin\AppData\Local\Temp\n2s\nchsetup.exe
          "C:\Users\Admin\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\Admin\AppData\Local\Temp\ExpressAccounts-3532-1\Installer.exe" -instdata "C:\Users\Admin\AppData\Local\Temp\n2s\nchdata.dat"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ExpressAccounts-3532-1\Installer.exe
    Filesize

    2.5MB

    MD5

    38400b9ef545c6e5c7e5d6f45c351b9c

    SHA1

    0da3d9bd8b4beba738ea284389ae91579a823726

    SHA256

    86dc6642ebeb2ba69618a82dabf403188d3c48603749bf75500249bfdf88571b

    SHA512

    40feb328fbf028b7a0b7dbca57640324ff15a45a27035a277789fcb0f598804c99d79fb3e9990966a4b1ece73b23e6310fd28e5b19a75c27ee7b31f536b27b6e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat
    Filesize

    1.6MB

    MD5

    56fd278e590cfb770a6fafcbabfa0cf5

    SHA1

    21105e95998c1c3dea3d40cc9619097ce3a26547

    SHA256

    cef7a42356f5fe2c1998e8fef00c6a86ffe1f82fbe98bdab70c400e3a7a15a4b

    SHA512

    678a42fde4daa8ad7e750a18150bab006d0bfe7d451fd2916bd9476967e0964168355440f594cca9ecf84ea1eb93a2c4884c9cba3e22ccf7960e3d718e4464ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
    Filesize

    3.7MB

    MD5

    da3244888f5ada3767ac437d1f82beec

    SHA1

    698ba853e522bbf6bc4370d4e619ac3f311e26ba

    SHA256

    2ece7501b636a1876a0c98a1901691d0159ef5db4734a65d8a5498907a572cdf

    SHA512

    9621201b8b6263e9a0d12c10c0c3d08a19f2aa78f0d96906260460ee40ceacf5fd6a196dc46e608301866af5dc48443c5a0f21ff8311db942e51ccc75593d124

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\n2s\nchsetup.exe
    Filesize

    3.6MB

    MD5

    d462aca4e6bc86ae2ebc0c3de913ff47

    SHA1

    9815368a0cf0ff9976340c863554ea1b4c6c340a

    SHA256

    b50d7d597ec31063b8b555130b76dd8c35d9e0ecbbfd3cca5864b8da72792d8e

    SHA512

    1eba86ff6ec6467b6eaef3b66ccc8ae06e1473b26c7a2340c360126723dbcccf03e977df0cc214967f7ed0663257119c87dae946089b53c05d6f85d40e7ae17b

    Download Submit