38fbf70eab07cec4d16bd04be4c7ac5d50f77bfc94dd15491303286f4e187988

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2023, 07:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

03042299.exe
Size

184KB
MD5

0fa2aad469281d398f6dd6724465c43e
SHA1

415bdc540ea135f3b4e5de48e0238aa17f02c59f
SHA256

38fbf70eab07cec4d16bd04be4c7ac5d50f77bfc94dd15491303286f4e187988
SHA512

3e81565b77e34d0273b63f6194df5e66d996e687392eb95954e3ead6dc6e2071ac7733c28682dc57f9740a046380ae86592df3598ff1a25d319ee1ce3c2debcc
SSDEEP

3072:nV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPvHqzzXIf4MDXOBE6+:qt5hBPi0BW69hd1MMdxPe9N9uA069TB1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	03042299.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 448	1224	03042299.exe	84
PID 1224 wrote to memory of 448	1224	03042299.exe	84
PID 448 wrote to memory of 2292	448	cmd.exe	86
PID 448 wrote to memory of 2292	448	cmd.exe	86
PID 2292 wrote to memory of 476	2292	net.exe	87
PID 2292 wrote to memory of 476	2292	net.exe	87
PID 448 wrote to memory of 3892	448	cmd.exe	88
PID 448 wrote to memory of 3892	448	cmd.exe	88
PID 3892 wrote to memory of 1500	3892	net.exe	89
PID 3892 wrote to memory of 1500	3892	net.exe	89
PID 448 wrote to memory of 1356	448	cmd.exe	90
PID 448 wrote to memory of 1356	448	cmd.exe	90
PID 1356 wrote to memory of 1548	1356	net.exe	91
PID 1356 wrote to memory of 1548	1356	net.exe	91
PID 448 wrote to memory of 2820	448	cmd.exe	92
PID 448 wrote to memory of 2820	448	cmd.exe	92
PID 2820 wrote to memory of 1680	2820	net.exe	93
PID 2820 wrote to memory of 1680	2820	net.exe	93
PID 448 wrote to memory of 1652	448	cmd.exe	94
PID 448 wrote to memory of 1652	448	cmd.exe	94
PID 1652 wrote to memory of 2244	1652	net.exe	95
PID 1652 wrote to memory of 2244	1652	net.exe	95
PID 448 wrote to memory of 4432	448	cmd.exe	96
PID 448 wrote to memory of 4432	448	cmd.exe	96
PID 4432 wrote to memory of 3508	4432	net.exe	97
PID 4432 wrote to memory of 3508	4432	net.exe	97
PID 448 wrote to memory of 3140	448	cmd.exe	98
PID 448 wrote to memory of 3140	448	cmd.exe	98
PID 3140 wrote to memory of 2188	3140	net.exe	99
PID 3140 wrote to memory of 2188	3140	net.exe	99
PID 448 wrote to memory of 1960	448	cmd.exe	100
PID 448 wrote to memory of 1960	448	cmd.exe	100
PID 1960 wrote to memory of 392	1960	net.exe	101
PID 1960 wrote to memory of 392	1960	net.exe	101
PID 448 wrote to memory of 796	448	cmd.exe	102
PID 448 wrote to memory of 796	448	cmd.exe	102
PID 796 wrote to memory of 3192	796	net.exe	103
PID 796 wrote to memory of 3192	796	net.exe	103
PID 448 wrote to memory of 4596	448	cmd.exe	104
PID 448 wrote to memory of 4596	448	cmd.exe	104
PID 4596 wrote to memory of 216	4596	net.exe	105
PID 4596 wrote to memory of 216	4596	net.exe	105
PID 448 wrote to memory of 228	448	cmd.exe	106
PID 448 wrote to memory of 228	448	cmd.exe	106
PID 228 wrote to memory of 4292	228	net.exe	107
PID 228 wrote to memory of 4292	228	net.exe	107
PID 448 wrote to memory of 4796	448	cmd.exe	108
PID 448 wrote to memory of 4796	448	cmd.exe	108
PID 4796 wrote to memory of 4664	4796	net.exe	109
PID 4796 wrote to memory of 4664	4796	net.exe	109
PID 448 wrote to memory of 4812	448	cmd.exe	110
PID 448 wrote to memory of 4812	448	cmd.exe	110
PID 4812 wrote to memory of 4052	4812	net.exe	111
PID 4812 wrote to memory of 4052	4812	net.exe	111
PID 448 wrote to memory of 3580	448	cmd.exe	112
PID 448 wrote to memory of 3580	448	cmd.exe	112
PID 3580 wrote to memory of 2068	3580	net.exe	113
PID 3580 wrote to memory of 2068	3580	net.exe	113
PID 448 wrote to memory of 3068	448	cmd.exe	114
PID 448 wrote to memory of 3068	448	cmd.exe	114
PID 3068 wrote to memory of 1160	3068	net.exe	115
PID 3068 wrote to memory of 1160	3068	net.exe	115
PID 448 wrote to memory of 3908	448	cmd.exe	116
PID 448 wrote to memory of 3908	448	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\03042299.exe
"C:\Users\Admin\AppData\Local\Temp\03042299.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6892.tmp\6893.tmp\6894.bat C:\Users\Admin\AppData\Local\Temp\03042299.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\system32\net.exe
    net user Virus Admin7502 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin7502 /add
      4⤵
      PID:476
- - C:\Windows\system32\net.exe
    net user Virus Admin21263 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin21263 /add
      4⤵
      PID:1500
- - C:\Windows\system32\net.exe
    net user Virus Admin2515 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin2515 /add
      4⤵
      PID:1548
- - C:\Windows\system32\net.exe
    net user Virus Admin13348 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin13348 /add
      4⤵
      PID:1680
- - C:\Windows\system32\net.exe
    net user Virus Admin1349 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin1349 /add
      4⤵
      PID:2244
- - C:\Windows\system32\net.exe
    net user Virus Admin11731 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin11731 /add
      4⤵
      PID:3508
- - C:\Windows\system32\net.exe
    net user Virus Admin31688 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin31688 /add
      4⤵
      PID:2188
- - C:\Windows\system32\net.exe
    net user Virus Admin10426 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin10426 /add
      4⤵
      PID:392
- - C:\Windows\system32\net.exe
    net user Virus Admin21602 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin21602 /add
      4⤵
      PID:3192
- - C:\Windows\system32\net.exe
    net user Virus Admin5410 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin5410 /add
      4⤵
      PID:216
- - C:\Windows\system32\net.exe
    net user Virus Admin13865 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin13865 /add
      4⤵
      PID:4292
- - C:\Windows\system32\net.exe
    net user Virus Admin24051 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin24051 /add
      4⤵
      PID:4664
- - C:\Windows\system32\net.exe
    net user Virus Admin26598 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin26598 /add
      4⤵
      PID:4052
- - C:\Windows\system32\net.exe
    net user Virus Admin8265 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin8265 /add
      4⤵
      PID:2068
- - C:\Windows\system32\net.exe
    net user Virus Admin9690 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin9690 /add
      4⤵
      PID:1160
- - C:\Windows\system32\net.exe
    net user Virus Admin13489 /add
    3⤵
    PID:3908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin13489 /add
      4⤵
      PID:4268
- - C:\Windows\system32\net.exe
    net user Virus Admin26235 /add
    3⤵
    PID:3780
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin26235 /add
      4⤵
      PID:2948
- - C:\Windows\system32\net.exe
    net user Virus Admin16219 /add
    3⤵
    PID:4436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin16219 /add
      4⤵
      PID:1448
- - C:\Windows\system32\net.exe
    net user Virus Admin3698 /add
    3⤵
    PID:672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin3698 /add
      4⤵
      PID:1368
- - C:\Windows\system32\net.exe
    net user Virus Admin26301 /add
    3⤵
    PID:420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin26301 /add
      4⤵
      PID:3080
- - C:\Windows\system32\net.exe
    net user Virus Admin21784 /add
    3⤵
    PID:1288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin21784 /add
      4⤵
      PID:4672
- - C:\Windows\system32\net.exe
    net user Virus Admin3203 /add
    3⤵
    PID:2704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin3203 /add
      4⤵
      PID:3568
- - C:\Windows\system32\net.exe
    net user Virus Admin26177 /add
    3⤵
    PID:792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin26177 /add
      4⤵
      PID:2336
- - C:\Windows\system32\net.exe
    net user Virus Admin698 /add
    3⤵
    PID:636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin698 /add
      4⤵
      PID:4736
- - C:\Windows\system32\net.exe
    net user Virus Admin29476 /add
    3⤵
    PID:3316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin29476 /add
      4⤵
      PID:3336
- - C:\Windows\system32\net.exe
    net user Virus Admin18328 /add
    3⤵
    PID:1484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin18328 /add
      4⤵
      PID:4060
- - C:\Windows\system32\net.exe
    net user Virus Admin13202 /add
    3⤵
    PID:3844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin13202 /add
      4⤵
      PID:4124
- - C:\Windows\system32\net.exe
    net user Virus Admin25687 /add
    3⤵
    PID:872
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin25687 /add
      4⤵
      PID:4740
- - C:\Windows\system32\net.exe
    net user Virus Admin8670 /add
    3⤵
    PID:4956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin8670 /add
      4⤵
      PID:4104
- - C:\Windows\system32\net.exe
    net user Virus Admin12274 /add
    3⤵
    PID:4792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin12274 /add
      4⤵
      PID:5088
- - C:\Windows\system32\net.exe
    net user Virus Admin20269 /add
    3⤵
    PID:2416
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin20269 /add
      4⤵
      PID:4244
- - C:\Windows\system32\net.exe
    net user Virus Admin31945 /add
    3⤵
    PID:960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin31945 /add
      4⤵
      PID:404
- - C:\Windows\system32\net.exe
    net user Virus Admin23292 /add
    3⤵
    PID:2524
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin23292 /add
      4⤵
      PID:4316
- - C:\Windows\system32\net.exe
    net user Virus Admin12412 /add
    3⤵
    PID:3856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin12412 /add
      4⤵
      PID:3740
- - C:\Windows\system32\net.exe
    net user Virus Admin12320 /add
    3⤵
    PID:3776
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin12320 /add
      4⤵
      PID:548
- - C:\Windows\system32\net.exe
    net user Virus Admin32633 /add
    3⤵
    PID:2080
- - C:\Windows\system32\net.exe
    net user Virus Admin31378 /add
    3⤵
    PID:4924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin31378 /add
      4⤵
      PID:2412
- - C:\Windows\system32\net.exe
    net user Virus Admin4619 /add
    3⤵
    PID:1792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin4619 /add
      4⤵
      PID:4176
- - C:\Windows\system32\net.exe
    net user Virus Admin9407 /add
    3⤵
    PID:4968
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin9407 /add
      4⤵
      PID:4996
- - C:\Windows\system32\net.exe
    net user Virus Admin18169 /add
    3⤵
    PID:4876
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin18169 /add
      4⤵
      PID:4908
- - C:\Windows\system32\net.exe
    net user Virus Admin24630 /add
    3⤵
    PID:3148
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin24630 /add
      4⤵
      PID:400
- - C:\Windows\system32\net.exe
    net user Virus Admin10222 /add
    3⤵
    PID:1836
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin10222 /add
      4⤵
      PID:4424
- - C:\Windows\system32\net.exe
    net user Virus Admin7402 /add
    3⤵
    PID:2680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin7402 /add
      4⤵
      PID:5056
- - C:\Windows\system32\net.exe
    net user Virus Admin1597 /add
    3⤵
    PID:476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin1597 /add
      4⤵
      PID:2292
- - C:\Windows\system32\net.exe
    net user Virus Admin11106 /add
    3⤵
    PID:1500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin11106 /add
      4⤵
      PID:3892
- - C:\Windows\system32\net.exe
    net user Virus Admin10951 /add
    3⤵
    PID:1548
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin10951 /add
      4⤵
      PID:3660
- - C:\Windows\system32\net.exe
    net user Virus Admin27022 /add
    3⤵
    PID:3144
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin27022 /add
      4⤵
      PID:4100
- - C:\Windows\system32\net.exe
    net user Virus Admin6664 /add
    3⤵
    PID:3912
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin6664 /add
      4⤵
      PID:3668
- - C:\Windows\system32\net.exe
    net user Virus Admin5914 /add
    3⤵
    PID:4260
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Virus Admin5914 /add
      4⤵
      PID:3488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user Virus Admin32633 /add
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6892.tmp\6893.tmp\6894.bat

Filesize
1KB

MD5
b73cf76512dde873e8dcf1387a40a096

SHA1
14ab762aeed194ceb69bfc5bf2cf91d212ec7fcd

SHA256
e3a3da40936ed6a0314c3129d447805127f40318e7c5a28c9e3107e0606aeaad

SHA512
3b0989d3108ccd2d62e84f59ae80aa135dd034d1d29c2be1c04526545aba0ef4911609bb28f94768265af69931fc7df4fb586c767e820630a001c72d697fa178

Download Submit