Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 18:06
Static task
static1
Behavioral task
behavioral1
Sample
SIGNED PO CIF0245605.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
SIGNED PO CIF0245605.exe
Resource
win10v2004-20240508-en
General
-
Target
SIGNED PO CIF0245605.exe
-
Size
1.1MB
-
MD5
1c1fabf576e7e33845d1aaee8db39272
-
SHA1
0ded35b3b43e3540a649dd73cef5de4e5450317d
-
SHA256
25ba3e8b7fd0d0b446923d26a3da174e89c7f88e7cd1ad8308f3e4f9283e7129
-
SHA512
51d0d9ca44fba6500677d55c6635afd5872aae0d35b492c20a6a72d20004e4a83ec3247bddb1ffd599a313c73d0f5eeddc02926cf7cbec09de27e3a247d070dc
-
SSDEEP
24576:8NA3R5drXzJN+6EfxhcMfqDHRLVROPc1jZFQYcHO6lP2vh:951NYEMkHtVR11jZ63w5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SIGNED PO CIF0245605.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation SIGNED PO CIF0245605.exe -
Executes dropped EXE 1 IoCs
Processes:
ttscsakex.exepid process 1652 ttscsakex.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SIGNED PO CIF0245605.exedescription pid process target process PID 3592 wrote to memory of 1652 3592 SIGNED PO CIF0245605.exe ttscsakex.exe PID 3592 wrote to memory of 1652 3592 SIGNED PO CIF0245605.exe ttscsakex.exe PID 3592 wrote to memory of 1652 3592 SIGNED PO CIF0245605.exe ttscsakex.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SIGNED PO CIF0245605.exe"C:\Users\Admin\AppData\Local\Temp\SIGNED PO CIF0245605.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\i6364d4810\ttscsakex.exe"C:\Users\Admin\i6364d4810\ttscsakex.exe" ejolicthg.lwn2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4404,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\i6364d4810\ttscsakex.exeFilesize
646KB
MD5a3e8113ff31e86152d4a384dab4ea102
SHA128cabe6b57d14f6dd47a880c51bc9726d017989f
SHA256d06ea150b0a83b9cf2ef63fdafc9e79a23bfa004c9f42d526499329e0ab1c977
SHA512f34d79e3984e819c2e86e9b75c27985f7f4d8696bd3bf18447b697e127db3f76c707369336925ae941f95053d4e83d1684356d479be2295114d654bb24efb290