Analysis
-
max time kernel
135s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 23:24
Static task
static1
Behavioral task
behavioral1
Sample
7dd2dd7b7ff209d2d19d45ee5f945e66d9daf387f141a210c611788b925b1638.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
7dd2dd7b7ff209d2d19d45ee5f945e66d9daf387f141a210c611788b925b1638.exe
Resource
win10v2004-20240611-en
General
-
Target
7dd2dd7b7ff209d2d19d45ee5f945e66d9daf387f141a210c611788b925b1638.exe
-
Size
37KB
-
MD5
be18e6809bc428a07024448cbbad0040
-
SHA1
f40ef33d6624021f3a32fd3eedead1dc4d0db823
-
SHA256
7dd2dd7b7ff209d2d19d45ee5f945e66d9daf387f141a210c611788b925b1638
-
SHA512
ba55d8f045dd9867e6b6a88b38b8ee42503453cb29c89b1d3abeee42b2d9b297b507e1e7896d06e4d2f4f1e24f430bc60c84bcc0853a32460888c8ede3ef7961
-
SSDEEP
384:uBT+/jvJ7+gFrJk04OMcYyJXFpOQGR9zos2clAKLHRN74u56/R9zZwu9z9:WOZ+gr36qlXOQ69zbjlAAX5e9zP
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7dd2dd7b7ff209d2d19d45ee5f945e66d9daf387f141a210c611788b925b1638.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 7dd2dd7b7ff209d2d19d45ee5f945e66d9daf387f141a210c611788b925b1638.exe -
Executes dropped EXE 1 IoCs
Processes:
comupdater.exepid process 4776 comupdater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7dd2dd7b7ff209d2d19d45ee5f945e66d9daf387f141a210c611788b925b1638.exedescription pid process target process PID 1568 wrote to memory of 4776 1568 7dd2dd7b7ff209d2d19d45ee5f945e66d9daf387f141a210c611788b925b1638.exe comupdater.exe PID 1568 wrote to memory of 4776 1568 7dd2dd7b7ff209d2d19d45ee5f945e66d9daf387f141a210c611788b925b1638.exe comupdater.exe PID 1568 wrote to memory of 4776 1568 7dd2dd7b7ff209d2d19d45ee5f945e66d9daf387f141a210c611788b925b1638.exe comupdater.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dd2dd7b7ff209d2d19d45ee5f945e66d9daf387f141a210c611788b925b1638.exe"C:\Users\Admin\AppData\Local\Temp\7dd2dd7b7ff209d2d19d45ee5f945e66d9daf387f141a210c611788b925b1638.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\comupdater.exe"C:\Users\Admin\AppData\Local\Temp\comupdater.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\comupdater.exeFilesize
37KB
MD584734e76e52a6b0acf104110a208d17b
SHA1574008f23e260af051fd4e9f8beb00f59a9ba391
SHA256e4b77270fd84551ea316e44509c4bd066fb23624d4f23e46e39c7696f3639f90
SHA51273206e77153003ffbb545b93ab083510851a4cb0029792c1e791b090a2299be51e5a1d7337ec4ca5a53a78c87b47034a4789f12a1b6acba7e4b292d1550122b4
-
memory/1568-0-0x0000000000401000-0x0000000000402000-memory.dmpFilesize
4KB
-
memory/4776-9-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB