Overview

overview

8

Static

static

3

f215dc963c...65.exe

windows7-x64

8

f215dc963c...65.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 11:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f215dc963cb6a3b587ce247e879de8c9178655edde5de4f6223b2c7d1f46f065.exe

  • Size

    110KB

  • MD5

    6886318251537429ea8a325981408b9e

  • SHA1

    af07229aa7bb34f8d68644917cb7bf57204b1f26

  • SHA256

    f215dc963cb6a3b587ce247e879de8c9178655edde5de4f6223b2c7d1f46f065

  • SHA512

    d001bcfbaf062dbf8a2d39251c24ae00407997d8a248ad2ddfbd69e9ea30fb92194cd05506f013fa536bc5aeb743cf873fc6952008b9909d178322493ab73e0d

  • SSDEEP

    1536:jPf9wIXONbslJy2e0xrT41xwMMxg/tqHHHsFTgkRJgI+oapbV8Xnb/t:jP1wIXO2uL04YIgHwTgkRJgp38XnJ

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f215dc963cb6a3b587ce247e879de8c9178655edde5de4f6223b2c7d1f46f065.exe
    "C:\Users\Admin\AppData\Local\Temp\f215dc963cb6a3b587ce247e879de8c9178655edde5de4f6223b2c7d1f46f065.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Recycle.Bin\zXba\dwn_FGroTQg.exe
      "C:\Recycle.Bin\zXba\dwn_FGroTQg.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Recycle.Bin\zXba\dwn_MMtUGF.exe
        "C:\Recycle.Bin\zXba\dwn_MMtUGF.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3672
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_ىзنه.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:952
          • C:\Windows\System32\PING.EXE
            "C:\Windows\System32\PING.EXE" -n 1 www.google.com
            5⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3752
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_Cзجلг.vbs"
          4⤵
          • Blocklisted process makes network request
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:5044
          • C:\Windows\System32\PING.EXE
            "C:\Windows\System32\PING.EXE" -n 1 www.google.com
            5⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recycle.Bin\zXba\dwn_FGroTQg.exe
    Filesize

    110KB

    MD5

    d253fcad9891c4a6ef2f70460197b203

    SHA1

    a5c2f7d9687781ffcdcdd2bc97b174c0b22c6ce6

    SHA256

    53900970b06d9cbc1ef6734123721e5df2b4e85c1de69df5fbf8dae04fcf5192

    SHA512

    eda092cc45a78e1171c09934e7ed35cfddcc07dee5d717961356473e84637deac73130e8b11db65aff2f1578dba8d5ef23c243185c59892872bb9a64ca4a2cf8

    Download Submit

  • C:\Recycle.Bin\zXba\tik_PfmWrOI.txt
    Filesize

    7B

    MD5

    f68946148955b43d4a869d01ff727c29

    SHA1

    fe86995c44334f4aa307c8505452894bf531b830

    SHA256

    ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

    SHA512

    a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

    Download Submit

  • C:\Recycle.Bin\zXba\tik_ebb.txt
    Filesize

    4B

    MD5

    d3accd33402becc720abebee93ebe193

    SHA1

    7362b81a747f7e757e03d0c4d2e20822d7f52bf5

    SHA256

    9f2a59a60e65fbcd5a3e1b7248adf92890ce3a32b19e43fb4751c2657196de13

    SHA512

    4becf1bca4f0375aa0262b27fd05d35c8868d0d79b2ead2d815eb3caff11a913516e7b9461094d9a0b61b33d6995c3947681222f35e93322862d2675bbab1a12

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\order_Cзجلг.vbs
    Filesize

    1KB

    MD5

    52144323bbd860ff4124981f02fa0f34

    SHA1

    8cd30e31bcdb15073fe06289a323b368784a9950

    SHA256

    e92eede123cc1c3aa2e07df5fdbea854d28923108ab2bb53c3173a5cbed386db

    SHA512

    bed4b631b0c8c8ba2abb1463c86b55c26b6c28fac5e5062e9350ce3dc7903490e6e6acd713330692a37e37e379f802a80a0ebac98efdda62d09dd56159d034f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\order_ىзنه.vbs
    Filesize

    394B

    MD5

    5dc7142226fe8f31126ab993bb70453d

    SHA1

    ace6b75a13e956babf54f35c4afb6a8083c4e824

    SHA256

    981d47aa410d924cae359c53037c2a594ece7f4e9430d733bc9c0083ca71ad2a

    SHA512

    a5997c6c67a255c7565dddeb598d0ca55b84e17f31718bc15afa931d7c66a831ff203e995045502fdfad92740297d9ac8e75314b0bc88b5da92c28f8371796f6

    Download Submit

  • memory/3160-6-0x0000000001130000-0x0000000001138000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3160-5-0x000000001C390000-0x000000001C436000-memory.dmp

    Filesize

    664KB

    Download

  • memory/3160-7-0x00007FFD22180000-0x00007FFD22B21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3160-8-0x00007FFD22180000-0x00007FFD22B21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3160-2-0x000000001BE10000-0x000000001C2DE000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/3160-0-0x00007FFD22435000-0x00007FFD22436000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3160-67-0x00007FFD22180000-0x00007FFD22B21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3160-65-0x00007FFD22180000-0x00007FFD22B21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3160-44-0x00007FFD22180000-0x00007FFD22B21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3160-1-0x00007FFD22180000-0x00007FFD22B21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3160-61-0x00007FFD22435000-0x00007FFD22436000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3160-3-0x000000001B860000-0x000000001B8FC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3160-4-0x00007FFD22180000-0x00007FFD22B21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4476-41-0x00007FFD22180000-0x00007FFD22B21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4476-49-0x00007FFD22180000-0x00007FFD22B21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4476-46-0x00007FFD22180000-0x00007FFD22B21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4476-45-0x00007FFD22180000-0x00007FFD22B21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4476-43-0x00007FFD22180000-0x00007FFD22B21000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4476-42-0x00007FFD22180000-0x00007FFD22B21000-memory.dmp

    Filesize

    9.6MB

    Download