19c125ec21bdf0fd09bcfdc04d3ca03627466b11a51edf2751973215ed880e02

Analysis

max time kernel
34s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2023, 20:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

19C125EC21BDF0FD09BCFDC04D3CA03627466B11A51EDF2751973215ED880E02.exe
Size

6.4MB
MD5

c9fd6de022676d650d3295b8e4770ef3
SHA1

927776254b89a3a3af56cfc720b1ba1b31a84ae9
SHA256

19c125ec21bdf0fd09bcfdc04d3ca03627466b11a51edf2751973215ed880e02
SHA512

a20912fd8e2417bb692b34428794a7573c3c93d4c38758356ecd79dba0688ecf1174dde02ea1ef7fb023258e073192496a40823c99ec5c4068d9d55f6aa0190c
SSDEEP

196608:5gX3iD1qNgbki87LiP5v2itC7HPi5cwv3QyHr:5Fagbki86PxE7viYs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	GLB8513.tmp

Executes dropped EXE 2 IoCs

pid	Process
2044	GLB8513.tmp
312	dxtest.exe

Loads dropped DLL 5 IoCs

pid	Process
2044	GLB8513.tmp
2044	GLB8513.tmp
2044	GLB8513.tmp
2044	GLB8513.tmp
2044	GLB8513.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 2044	1000	19C125EC21BDF0FD09BCFDC04D3CA03627466B11A51EDF2751973215ED880E02.exe	85
PID 1000 wrote to memory of 2044	1000	19C125EC21BDF0FD09BCFDC04D3CA03627466B11A51EDF2751973215ED880E02.exe	85
PID 1000 wrote to memory of 2044	1000	19C125EC21BDF0FD09BCFDC04D3CA03627466B11A51EDF2751973215ED880E02.exe	85
PID 2044 wrote to memory of 312	2044	GLB8513.tmp	86
PID 2044 wrote to memory of 312	2044	GLB8513.tmp	86
PID 2044 wrote to memory of 312	2044	GLB8513.tmp	86

C:\Users\Admin\AppData\Local\Temp\19C125EC21BDF0FD09BCFDC04D3CA03627466B11A51EDF2751973215ED880E02.exe
"C:\Users\Admin\AppData\Local\Temp\19C125EC21BDF0FD09BCFDC04D3CA03627466B11A51EDF2751973215ED880E02.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\AppData\Local\Temp\GLB8513.tmp
  C:\Users\Admin\AppData\Local\Temp\GLB8513.tmp 4736 C:\Users\Admin\AppData\Local\Temp\19C125~1.EXE
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\dxtest.exe
    "C:\Users\Admin\AppData\Local\Temp\dxtest.exe"
    3⤵
    - Executes dropped EXE
    PID:312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GLB8513.tmp

Filesize
70KB

MD5
a90a18b9f5913fea1fac0dcae222a79e

SHA1
375b5616e7d9aa85c79c69c8636baa96e5a0f374

SHA256
1f1a1ac554defc3002b0119b461e475e678b7cb1592e1fb280bcb9f842ade0f3

SHA512
8685869fc75d1066a6878ff7bafa4512c63b4e4d49620784dbcc863b0401173937b55723ad45b1d075904ec7fb3a68bc91c328d511bb70e4ff8a79679f76673c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLB8513.tmp

Filesize
70KB

MD5
a90a18b9f5913fea1fac0dcae222a79e

SHA1
375b5616e7d9aa85c79c69c8636baa96e5a0f374

SHA256
1f1a1ac554defc3002b0119b461e475e678b7cb1592e1fb280bcb9f842ade0f3

SHA512
8685869fc75d1066a6878ff7bafa4512c63b4e4d49620784dbcc863b0401173937b55723ad45b1d075904ec7fb3a68bc91c328d511bb70e4ff8a79679f76673c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC865B.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLF8AC4.tmp

Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLF8AC4.tmp

Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLF8AC4.tmp

Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLM86AA.tmp

Filesize
12KB

MD5
484cb68472473a1a84ff07996bb8c1f6

SHA1
bce9d810f2558e73854e7c8e05f122b002558e9a

SHA256
15bb390af019d92e1d02771b02335fa360db1bb34bcf4f0c72705027428f4ff1

SHA512
5f756d11290e0240fabeab6cb638f7e42024b95b5a44eea6b44dba610919a9d9d5654a87af29ef249fb22bfb9eae7dadd3abb42faa594a465efa1ff358a2fd47

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLM86AA.tmp

Filesize
12KB

MD5
484cb68472473a1a84ff07996bb8c1f6

SHA1
bce9d810f2558e73854e7c8e05f122b002558e9a

SHA256
15bb390af019d92e1d02771b02335fa360db1bb34bcf4f0c72705027428f4ff1

SHA512
5f756d11290e0240fabeab6cb638f7e42024b95b5a44eea6b44dba610919a9d9d5654a87af29ef249fb22bfb9eae7dadd3abb42faa594a465efa1ff358a2fd47

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxtest.exe

Filesize
5KB

MD5
858a016acfa24ade77aa475c08b4ac5a

SHA1
afca4c85cc2239e2808194e972506e558a381ba0

SHA256
d8102d0cbc3292add759edb6306989ca4c945ad1cd7bf66907582fd77e37a81e

SHA512
ee9876e47c3128e5615c701a124ec7ed270baa1cb5875ab8dc44477e3c68c486b610d02c3cecfb699aecd65f23369eefe4e589798682f265341ff156b1d56d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxtest.exe

Filesize
5KB

MD5
858a016acfa24ade77aa475c08b4ac5a

SHA1
afca4c85cc2239e2808194e972506e558a381ba0

SHA256
d8102d0cbc3292add759edb6306989ca4c945ad1cd7bf66907582fd77e37a81e

SHA512
ee9876e47c3128e5615c701a124ec7ed270baa1cb5875ab8dc44477e3c68c486b610d02c3cecfb699aecd65f23369eefe4e589798682f265341ff156b1d56d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxtest.exe

Filesize
5KB

MD5
858a016acfa24ade77aa475c08b4ac5a

SHA1
afca4c85cc2239e2808194e972506e558a381ba0

SHA256
d8102d0cbc3292add759edb6306989ca4c945ad1cd7bf66907582fd77e37a81e

SHA512
ee9876e47c3128e5615c701a124ec7ed270baa1cb5875ab8dc44477e3c68c486b610d02c3cecfb699aecd65f23369eefe4e589798682f265341ff156b1d56d4b

Download Submit