Analysis

  • max time kernel
    94s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 23:24

General

  • Target

    lab_samples/6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82.exe

  • Size

    87KB

  • MD5

    a579d53a1d29684de6d2c0cbabd525c5

  • SHA1

    17661a04b4b150a6f70afdabe3fd9839cc56bee8

  • SHA256

    6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82

  • SHA512

    a98456792d7f7c83d0fe6be3ce6c48a4630a073b456848e0c8f614efe292a24fcf8d879ead5f2b418e5e29f46ae9356691383ba57e6066c5cacc0d47e675f817

  • SSDEEP

    1536:PwjBg7Rj2r+65ofVkOu2avMtRsCtQqES1IVSJjXTmgacggNp:YjBY12G7uJvMnsGQhSYEmgacx

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lab_samples\6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82.exe
    "C:\Users\Admin\AppData\Local\Temp\lab_samples\6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=javascript>"+(new%20ActiveXObject("WScript.Shell")).RegWrite("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\CheckDone","RunDll32.exe%20\"C:\\Windows\\System32\\api-ms-win-core-advapi-l1-1-0.dll\",init","REG_SZ")+"\74/script>")
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:4284
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-advapi-l1-1-0.dll",init
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1852
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1384
        3⤵
        • Program crash
        PID:4960
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1852 -ip 1852
    1⤵
      PID:2056

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-advapi-l1-1-0.dll

      Filesize

      36KB

      MD5

      75f71713a429589e87cf2656107d2bfc

      SHA1

      f7608ef62a45822e9300d390064e667028b75dea

      SHA256

      b6fff95a74f9847f1a4282b38f148d80e4684d9c35d9ae79fad813d5dc0fd7a9

      SHA512

      cfadd55e93f00a91e9c6c3804725aa85e65e76039ec6021607ce7bb5dd30369329aae7cd11344c703094090e1f9be513988703f9a4cb8b2223464254a9104b93