474eca1ef80533c60080a208a15b3f8f3a73d0e8cc1af138f07272a6bc178f7c

Analysis

max time kernel
142s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2023, 06:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

003737.exe
Size

300KB
MD5

d93dd4200d1997c9b734bc2b1de77dc8
SHA1

9b96aa19510fd49e13d394017284c325ea81dc7c
SHA256

12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6
SHA512

9aacc357225cc8462dc6ebdb4c93528ec28796b847788e645865b2a987e501f57cb4c3ba3cc3894971c3a6fc6dc1f3ad207399f7078cdea388629c1c8987e6cf
SSDEEP

6144:AYa6rb6wHR86N8RbEpztPAZ3IZUOGAdHwWM0g4uGFzq8Mh:AYJbFx86CBEe3Il/LpXukQh

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	003737.exe

Loads dropped DLL 1 IoCs

pid	Process
4252	003737.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4252 set thread context of 2908	4252	003737.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe
2908	003737.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4252	003737.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	003737.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 2908	4252	003737.exe	85
PID 4252 wrote to memory of 2908	4252	003737.exe	85
PID 4252 wrote to memory of 2908	4252	003737.exe	85
PID 4252 wrote to memory of 2908	4252	003737.exe	85

C:\Users\Admin\AppData\Local\Temp\003737.exe
"C:\Users\Admin\AppData\Local\Temp\003737.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\AppData\Local\Temp\003737.exe
  "C:\Users\Admin\AppData\Local\Temp\003737.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj92C1.tmp\rnthgfcoj.dll

Filesize
82KB

MD5
5f691d38b05f393f4ff97567762c27a7

SHA1
d713e31e3f4c3543971acfd67d061b06a8ac9560

SHA256
cc4843512076608573c285a95e03361732dab93ae78fba41daba40711ceb9a0c

SHA512
26a5ac9d318de6279977eeebcab4de3e13aedee0a70d7293c9d9efd79ad8afb9c224fedc254115fb52a2df209ea747bb19caf601393b907e52d92c55fba37fb6

Download Submit
memory/2908-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-142-0x0000000000990000-0x0000000000CDA000-memory.dmp

Filesize
3.3MB

Download
memory/2908-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download