3994c8e0aecd846d4745bee253585ab2787b6b5fe80ccac607dada63db1b4177

Analysis

max time kernel
135s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2023, 12:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

H90490861252¬F.exe
Size

667KB
MD5

f4ebd2a2d0ff857cca296b6d868e94b0
SHA1

e284b010ec634795cfe4da2cb4ea376480fdb6d4
SHA256

3994c8e0aecd846d4745bee253585ab2787b6b5fe80ccac607dada63db1b4177
SHA512

11811a3f7c67c279f754f4202c4c24cad8d2953b0863bb2663019b3d5ca966e605dad567241e88cdd4905aba3e5b8243292a8e74c68d8805e6d228df17c5f828
SSDEEP

12288:Rgi0cO/aRB7kBfqQqVw2yJ5rcQm6dTxqooWjrARw75WSaLpG/4YBZRyIL9oI0+Ip:6i0vTcSaLpG/4AZfBT0+Ip

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	H90490861252¬F.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RealTimeSync.lnk	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 3044	4936	H90490861252¬F.exe	82
PID 4936 wrote to memory of 3044	4936	H90490861252¬F.exe	82
PID 3044 wrote to memory of 1652	3044	cmd.exe	84
PID 3044 wrote to memory of 1652	3044	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\H90490861252¬F.exe
"C:\Users\Admin\AppData\Local\Temp\H90490861252¬F.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\nteAHcu.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp\npo.vbs
    3⤵
    - Drops startup file
    PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\npo.vbs

Filesize
266B

MD5
0afb917ba386246fabc326974d425ac6

SHA1
8d130bae0c9d886104174d0840981eefdd3c19e6

SHA256
9626c6c3116dff963d2ec86d75bada031af8b32321e1a45168847de50b78cfe8

SHA512
1121e349b38a6dbe7d82c52a595d3cdc11f425dd2973b14ef64c1b9154ef7984ef8cb57baf0ba08b9f0a1383d65770684cd166cb9cb7231671bef995b634139a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nteAHcu.bat

Filesize
561B

MD5
530bb5ce143b3d66c1006208635adc47

SHA1
419d5a5c11793d6cdebf87b9f9db82520e11f318

SHA256
0c2525cb50d8238ae90ee403b023bad9cc0448bb4a7539396a21fc53bd657512

SHA512
64bd65571b860e6ac8c9077f19e7ca4007cfe46187c6d40b9efe4ffd9bd9a25723d76f13a76ba6759a8829c6eb7453c2708b31acf07e55b2f24d089b2e786c98

Download Submit