aa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43

Analysis

max time kernel
967s
max time network
973s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43.exe
Size

2.0MB
MD5

2e020a70248abae9b8ddcd756b6772bb
SHA1

7dfdee2681d138925a56d579b0e9ca569a5d0c3e
SHA256

aa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43
SHA512

659b527af1d3187340a8499e3c3921bad047cd1506c8a23e1c6004681ff4f1643b6de3951cd4580c4c29e6678c25a94b254b7dd931cfcc70ba8fdb1398edf7fc
SSDEEP

49152:/40niy8/68jwJFIhHu2ocFMRk9XW/osfPE:/liys68jwJyhO2JFMe+osU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	aa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43.exe

Executes dropped EXE 1 IoCs

pid	Process
1872	X_TRADER.exef90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1872	X_TRADER.exef90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1872	1420	aa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43.exe	85
PID 1420 wrote to memory of 1872	1420	aa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43.exe	85
PID 1420 wrote to memory of 1872	1420	aa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43.exe	85

C:\Users\Admin\AppData\Local\Temp\aa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43.exe
"C:\Users\Admin\AppData\Local\Temp\aa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\X_TRADER.exef90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43.exe
  "C:\Users\Admin\AppData\Local\Temp\X_TRADER.exef90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\X_TRADER.exef90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43.exe

Filesize
1.8MB

MD5
79735d07c150b89ebda93e94e228c2e5

SHA1
4b58ac326bb988ebacbf214a4a32a0a21a04a636

SHA256
1ddc6a0217c9f2f97601e9268df9092f621b01ab19fb8dc4f7d9c1d6f27f3bdf

SHA512
ce04350906c0363b6596a9f3c4abeea9bfcac8622573400b6ae3207bf1c92449c16f7d359846a8ff5ad49ede686600a4b1d560a2b16f4afd48426e65d9a008fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\X_TRADER.exef90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43.exe

Filesize
1.8MB

MD5
79735d07c150b89ebda93e94e228c2e5

SHA1
4b58ac326bb988ebacbf214a4a32a0a21a04a636

SHA256
1ddc6a0217c9f2f97601e9268df9092f621b01ab19fb8dc4f7d9c1d6f27f3bdf

SHA512
ce04350906c0363b6596a9f3c4abeea9bfcac8622573400b6ae3207bf1c92449c16f7d359846a8ff5ad49ede686600a4b1d560a2b16f4afd48426e65d9a008fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\X_TRADER.exef90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43.exe

Filesize
1.8MB

MD5
79735d07c150b89ebda93e94e228c2e5

SHA1
4b58ac326bb988ebacbf214a4a32a0a21a04a636

SHA256
1ddc6a0217c9f2f97601e9268df9092f621b01ab19fb8dc4f7d9c1d6f27f3bdf

SHA512
ce04350906c0363b6596a9f3c4abeea9bfcac8622573400b6ae3207bf1c92449c16f7d359846a8ff5ad49ede686600a4b1d560a2b16f4afd48426e65d9a008fc

Download Submit