Overview

overview

10

Static

static

10

a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    43s
  • max time network
    34s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2024 16:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a.exe

  • Size

    165KB

  • MD5

    ab291dfdae1f44bd81ec75de9dd657d6

  • SHA1

    3cfca0456d8037e9759bce00991bd06d6dab8c86

  • SHA256

    578bd705fdf85e864f09780e885c2a04305a719038b66b2ff5639bf2572600de

  • SHA512

    71239480308c81ff5f4cde60cb54d05e37cb966ed276dd01cd70536728474d5f412aada83504890c065b6e34ff354fc5920f12b9ccd9a11875711fcffffc5cea

  • SSDEEP

    3072:fP8VpD/T68Q8wsWMS1kDGo/JzlJCFEw2iNb0Zr15bO:fP8V2f1k7/JBYW/ebmO

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a.exe
    "C:\Users\Admin\AppData\Local\Temp\a.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /tn NYAN /F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3196
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\a.exe" /sc minute /mo 1
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1136
    • C:\Windows\x64dbg.exe
      "C:\Windows\x64dbg.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Delete /tn NYAN /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1444
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn NYAN /tr "C:\Windows\x64dbg.exe" /sc minute /mo 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3804
  • C:\Users\Admin\AppData\Local\Temp\a.exe
    C:\Users\Admin\AppData\Local\Temp\a.exe
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /tn NYAN /F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5044
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\a.exe" /sc minute /mo 1
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\a.exe.log
    Filesize

    408B

    MD5

    40b0c3caa1b14a4c83e8475c46bf2016

    SHA1

    af9575cda4d842f028d18b17063796a894ecd9d0

    SHA256

    70e88a428d92b6ab5905dac9f324824c4c6f120bc3f385c82b2d12f707a4a867

    SHA512

    916437df737de4b6063b7116b4d148229d4a975eb4046122d47434b81fba06e88e09e5f273ec496c81ef3feecb843ccad20a7a04074224416c1fa9951acbdac7

    Download Submit

  • C:\Windows\x64dbg.exe
    Filesize

    165KB

    MD5

    ab291dfdae1f44bd81ec75de9dd657d6

    SHA1

    3cfca0456d8037e9759bce00991bd06d6dab8c86

    SHA256

    578bd705fdf85e864f09780e885c2a04305a719038b66b2ff5639bf2572600de

    SHA512

    71239480308c81ff5f4cde60cb54d05e37cb966ed276dd01cd70536728474d5f412aada83504890c065b6e34ff354fc5920f12b9ccd9a11875711fcffffc5cea

    Download Submit

  • memory/2172-3-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2172-4-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2172-18-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2304-0-0x0000000074932000-0x0000000074933000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2304-1-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2304-2-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2304-10-0x0000000074932000-0x0000000074933000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2304-11-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2304-16-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

    Download