Overview

overview

10

Static

static

10

e4a80728e6...5b.exe

windows7-x64

1

e4a80728e6...5b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 04:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4a80728e6f8efdefc6f75560196ceda43d8835b1038feccd6b132cbc6ff6b5b.exe

  • Size

    9.3MB

  • MD5

    a8b40d4763f08d51bfed24d0bf258d0a

  • SHA1

    2d949f75673e7489ccdabb266134a951dbf5586f

  • SHA256

    e4a80728e6f8efdefc6f75560196ceda43d8835b1038feccd6b132cbc6ff6b5b

  • SHA512

    7ad834243e35af6ecdafe253bffc7b80d2020737e92ad0a82fbb881fde4506c7e6759e05e114ece6c91eda6f3877d4b6ede4a11d73ec4b20b383648b5f42f5c9

  • SSDEEP

    196608:nPRWJbVQPXVB6F9xnRE3PHBDmsqfMcTKyb0qJQmhp:og/VB3VEdsC7

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4a80728e6f8efdefc6f75560196ceda43d8835b1038feccd6b132cbc6ff6b5b.exe
    "C:\Users\Admin\AppData\Local\Temp\e4a80728e6f8efdefc6f75560196ceda43d8835b1038feccd6b132cbc6ff6b5b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4480
    • C:\Users\Admin\AppData\Roaming\Load.exe
      "C:\Users\Admin\AppData\Roaming\Load.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Load.exe
    Filesize

    1.2MB

    MD5

    e541172f456ea5acf9ccfd33b4051fc1

    SHA1

    60193ac3cb3f6063cf432776c3d8bd22a549bd49

    SHA256

    3badf2601b723bbf99d19027dc0d8756228be0557f45e9b3e2e48fd211bc3823

    SHA512

    f08cbf9d3658a3aa8e7c8d62e49aed80f8cd280d53e074ccc65314d2c9bf940ea7efa567eefa68d7b9af0eb9d5e0720dc83e3da3cfef112458c199353ccac597

    Download Submit
  • memory/4480-0-0x0000000003060000-0x0000000003061000-memory.dmp
    Filesize

    4KB

    Download