Overview

overview

10

Static

static

10

a1bc0999e0...5b.exe

windows7-x64

7

a1bc0999e0...5b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 14:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1bc0999e0a70970615710f53f353e85ff94367e832c45cfca4e8716f7c1cb5b.exe

  • Size

    481KB

  • MD5

    d9881fa3c932f199bcb890e36ac36676

  • SHA1

    45e3594e48c03fb40916c32ef6b0ba605dacb7f4

  • SHA256

    a1bc0999e0a70970615710f53f353e85ff94367e832c45cfca4e8716f7c1cb5b

  • SHA512

    1e99e2cb9b1652159db224c2d4f1111683b789bcd1234215f8c3cc63910046d72f664b9bfd93a2a84270ac7213dd1de3bd0c7da7b9ac01e22f0c42d168454450

  • SSDEEP

    12288:luD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDSL+DY:I09AfNIEYsunZvZ19Z0s

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1bc0999e0a70970615710f53f353e85ff94367e832c45cfca4e8716f7c1cb5b.exe
    "C:\Users\Admin\AppData\Local\Temp\a1bc0999e0a70970615710f53f353e85ff94367e832c45cfca4e8716f7c1cb5b.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qpynzyxkirrgvnptiamsalkksnibj.vbs"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:64

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\registro\registros.dat
    Filesize

    184B

    MD5

    7a2119abb6e6409fd53ad5fcc406892e

    SHA1

    72f5f5c19b3ff57ccf3b5b2977b543587a4cdcc6

    SHA256

    343374fa774560c04a413f69133180c8403b84db1cd7ee26f66b8505e1ab5f33

    SHA512

    61e8d6e37dfa2f204554f52b4367b3a0f178bc736f948041a0f905da64f4de213137f4813543498c9c2e37ba020b158929a50ca46f0ed1caeac3b373560a4fd1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qpynzyxkirrgvnptiamsalkksnibj.vbs
    Filesize

    728B

    MD5

    8cdd01aac2fd1c6f575330776cfe246a

    SHA1

    7d1c3721dbef4a66a71fe8372d24c9f90ee1101a

    SHA256

    c684ffb20cbb4d5ef7d280318e827857e573741af2bc2f0c1f784e79a2e9d56f

    SHA512

    d3c36c078360b871ec1ee49c506124fcb5cb2a9cc3673eae78d367b848ad34fcbb38bab784523e095097c91a43c94eec282a8b7710b91a2e9ae19a0bf168bd28

    Download Submit