8a572189d449be581188db033f77172d4f84649cdddaa81e8f00390e8e71a987

Analysis

max time kernel
135s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2023 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arrow/2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee.exe
Size

28KB
MD5

6082510f97c65c06f1d21809efa9d040
SHA1

78e65ca4aef33eea338a2972f19679552cb7c701
SHA256

2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee
SHA512

fc56029acc10a16f98d0405d9dca6e33be996a8ae2bc7353c4cac9b5431566cdb675da975740f5cd428ef24f28c3542e2070dd6d29e9b519d55d92a0ea5fc649
SSDEEP

768:heqX/79Z4TCXfVsNuRVbpLchtszwBRUgT6TtQ0nt:hBX/zlsNuRVbWawBKgT6TtQK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1256	4560	WerFault.exe	81

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2188	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4560	2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 2160	4560	2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee.exe	82
PID 4560 wrote to memory of 2160	4560	2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee.exe	82
PID 4560 wrote to memory of 2160	4560	2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee.exe	82
PID 2160 wrote to memory of 2188	2160	cmd.exe	84
PID 2160 wrote to memory of 2188	2160	cmd.exe	84
PID 2160 wrote to memory of 2188	2160	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\arrow\2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee.exe
"C:\Users\Admin\AppData\Local\Temp\arrow\2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout 20
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\timeout.exe
    timeout 20
    3⤵
    - Delays execution with timeout.exe
    PID:2188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1264
  2⤵
  - Program crash
  PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4560 -ip 4560
1⤵
PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4560-133-0x0000000000930000-0x000000000093C000-memory.dmp

Filesize
48KB

Download
memory/4560-134-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/4560-135-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download