Overview

overview

10

Static

static

3

dd7f06cb41...5b.exe

windows7-x64

7

dd7f06cb41...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2024, 04:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe

  • Size

    685KB

  • MD5

    67a61a5b722dd63bbe160c472b845e1a

  • SHA1

    1490776613fd477ef1812ef5d620b9e4867f390a

  • SHA256

    dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b

  • SHA512

    ea4fce6129277fcb96309d49a08e2ae16489ec0bd75e2d5dc6413be80fefbd97581c924726a00ebd81e67041328db11fd3bca4d2374142b3b86e90a725c42c7b

  • SSDEEP

    12288:3Z8nkF9oy1ADvMKdhAS0jjLz7hoo3RpEcvALALdt/xBot/FcEic/3IWVscSfVo8s:3Z8nkF9oySiLz72ooSru/so3V9xmA0k

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe
    "C:\Users\Admin\AppData\Local\Temp\dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\Users\Admin\AppData\Local\Temp\dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe
      "C:\Users\Admin\AppData\Local\Temp\dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\remove25021.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4352
      • C:\Windows\service.exe
        "C:\Windows\service.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3280
        • C:\Windows\service.exe
          "C:\Windows\service.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          PID:1712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\remove25021.bat
    Filesize

    267B

    MD5

    069a41c368782098ed3231fb21b1bf6a

    SHA1

    588c355e4b622e6f996585539028400da3c928d3

    SHA256

    6af02d1e17de464995a473da5e9c9a9be554b4ac1b95c59d2ea2feb6d836fe3b

    SHA512

    cd62e817b2d5366ca1a9f2ff89f6a481e8c9c00b371f0d23e9df58d11e453c7b731ac2fdd079697e2a434a0e2049fbfec919643838191e9844fd904601c86373

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\shell32.dll
    Filesize

    51B

    MD5

    47a8ba1ac93ed45a6c0730f839996ebe

    SHA1

    cb866994aae108d550d8e86de8f72113385ea013

    SHA256

    ad13a0f3f6c294009c8909aa19cb7a0b92e4cc8a39345a004cfdf0edd51b5f9e

    SHA512

    bdd6d1897495836b837b570add6d8a28a81dc9d67524af966d77e4c074e771628de4a7e2147c6a40336276cf03cd4014a91c461cc409f96fed0ca5ec425bb8cc

    Download Submit

  • C:\Windows\service.exe
    Filesize

    686KB

    MD5

    bf9e5a05c5e1ffe373660fd64d31129c

    SHA1

    b692e3cfc6bac3e13749fff168d4074b24474e0c

    SHA256

    365f7e6d2208b8d3ebe6ba59469e38735589b5b30c039986f903186861777019

    SHA512

    844efe515bc2f82f05776b01d5d4e2c8df3c3e6fdc7167c7bbcd02a1660fcdf2d168adb53d0c0d760b3c1c0d81870baea28213d0d938bfe6d6b8fe090946be10

    Download Submit

  • memory/1712-54-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1712-59-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1712-58-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1712-57-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1712-53-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1780-4-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1780-48-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1780-0-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1780-3-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3280-55-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4316-2-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download