Overview

overview

7

Static

static

3

b24de95a18...af.exe

windows7-x64

7

b24de95a18...af.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b24de95a18c41cc29bd59f1162473a2b6963f407223ad9a0675747b34aa735af.exe

  • Size

    465KB

  • MD5

    ca15457cc20a4cbec0829d4a6b0c605c

  • SHA1

    5a67a4c01a1aecd189b3825a24d4214a97c4b0fe

  • SHA256

    b24de95a18c41cc29bd59f1162473a2b6963f407223ad9a0675747b34aa735af

  • SHA512

    31938f34f40b59d0b9e9b097bc611ea113cd8cd2908494fdbdc69537789438b65151c6300e8217e03ed0b00c425d5b7f4489998e06f82f07fcf0da5a285476f3

  • SSDEEP

    6144:mBapC9DUIYmO5Kv5Q7X/l/rYvkW1VxxfnzrV9UAH0ctkPfc92F8XLpIh9jil1:5pQD+mO5KWy/zrVbt4fcYg9U9jI1

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 46 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b24de95a18c41cc29bd59f1162473a2b6963f407223ad9a0675747b34aa735af.exe
    "C:\Users\Admin\AppData\Local\Temp\b24de95a18c41cc29bd59f1162473a2b6963f407223ad9a0675747b34aa735af.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\LSASS.exe
      "C:\Windows\LSASS.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4912
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4976
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1488
      • C:\Users\Admin\LSASS.exe
        "C:\Users\Admin\LSASS.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:872
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:5056
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:5016
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2576
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4064
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:960
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1820
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2296
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4924
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1420
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:3952
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:3132
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4920
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:836
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2156
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1752
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2400
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4624
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4788
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2276
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:3288
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:5056
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:320
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:3212
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4028
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1300
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2488
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4352
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1096
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:3052
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4088
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1796
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:3880
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4596
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4920
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2932
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1092
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:3940
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2400
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1732
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:5100
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1068
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1452
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1484
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\LSASS.exe
    Filesize

    465KB

    MD5

    9bed7083f45f420496323c321165ed11

    SHA1

    4761400f5565c94e788c298ea45bd416905b3c84

    SHA256

    12919e156f9429f94e20cba746e7bf2549d35ae45f3088306d217d3e418f6293

    SHA512

    9551382f0bc15bb4b3f014dca9ef4cb7ac740c6533a9aa88ee467f2bdc35f1dcee171b667c33ce7e06ca33b521cde806c2a1821d48d40f5081c32088d78eaede

    Download Submit

  • C:\Windows\LSASS.exe
    Filesize

    465KB

    MD5

    103c074cfa12d52bf9f7d0d8b3d1a5bf

    SHA1

    aaccc897449b96422f87bf7eb7f8a8b868b423e9

    SHA256

    26f3153b36a4432135e18d827dc7f3782dfb773e4287b72f64a2b6ca8c2d69c4

    SHA512

    63fad1e2e413286dd5044d9ca9d5a45b51f6a050135d54ae9d3b29171780f8528f03c3ed00496ae731412b3ffd0803ff0f18932fbf44159d75b31a55c2fe1ad2

    Download Submit

  • C:\autorun.inf
    Filesize

    190B

    MD5

    b1445c7f646c6ca9a7597791af38d575

    SHA1

    91efaf63fa1f7a51ee2f9b1c3b0f8932f15439ce

    SHA256

    220517d50470c86d94020cebcd03af286898e65338f468dc5f860dc04af2c88e

    SHA512

    533349278b6d186f0f3947681e90dcc7f617e146736798e6fc23e79d61610f1f7b2e4b4241b296884622fbd6b1cf73dc694a852e05bf4235da8ed40b70c5683f

    Download Submit

  • memory/872-108-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1084-0-0x0000000005E10000-0x0000000005E11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1084-35-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4912-163-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4912-109-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4912-110-0x0000000001570000-0x0000000001571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4912-129-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4912-146-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4912-34-0x0000000001570000-0x0000000001571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4912-180-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4912-198-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4912-215-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4912-232-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4912-249-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4912-266-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4912-283-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download