e93318e1f0a7c29404fbc9d3c32381909a8031034048f883dc765b44ffcd19b0

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2023, 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winbox5.exe
Size

3.0MB
MD5

893c605269a21105aa9ecc131774c02c
SHA1

29a23e0af35787a314cd8926b660db22da288a9c
SHA256

e93318e1f0a7c29404fbc9d3c32381909a8031034048f883dc765b44ffcd19b0
SHA512

c25d3916e8cc8e8b7fd25cff2470b66c9b47c290b3fd7f7efddfd74a413463131c3e2e7857477a9d6c698c8bb2b7216d4ddfc293e70fcb65a737eed3ba15e8d7
SSDEEP

49152:h+l4PhQLoJxCWzpnErBPMPVOLopkxWzpneByDedPiiLobtJWzpneBGi9:h+/oGug/o4uoWuo3uo19

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	winbox5.exe

Executes dropped EXE 1 IoCs

pid	Process
1800	winbox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1800	1304	winbox5.exe	84
PID 1304 wrote to memory of 1800	1304	winbox5.exe	84
PID 1304 wrote to memory of 1800	1304	winbox5.exe	84

C:\Users\Admin\AppData\Local\Temp\winbox5.exe
"C:\Users\Admin\AppData\Local\Temp\winbox5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\Application Data\Mikrotik\Winbox\winbox.exe
  "C:\Users\Admin\Application Data\Mikrotik\Winbox\winbox.exe"
  2⤵
  - Executes dropped EXE
  PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\advtool.dll

Filesize
63KB

MD5
6f2046c5aafd5c77da38c8143e9fd8a3

SHA1
62a97ed86d94ea87f3086473f68522678e2241d5

SHA256
45f8b0fe8956a376ee2fed2dfb852752af6054c70265c7f8bca4ecec24f7df49

SHA512
8fc2e8c7a939a2ec70b2cae7c6c903eede3117fe066939d7607ac78ca124a3a37db828561af1b3fc8a58be58cb40a96c5f278c26cb7abd29e185b85510f64a09

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\dhcp.dll

Filesize
72KB

MD5
55644c51a5ba468d11adcc7b6df5c758

SHA1
efaf06e9a129631c0d384f7bb800cf2e17f98534

SHA256
1c69d62af98dfed8705f21142c274e2958705e51cddf9768d5d6123e06a0d785

SHA512
d02cdff5f047a10b5f7c9c58c799339321d62d574c9f5273620b7e93943b848d5d124b9824d19c9aafa2f83693f23a04cff0c1bd04ad9b0f55490fec8ca80fd4

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\hotspot.dll

Filesize
79KB

MD5
d22ea7298e3f26fd94e4f670992a5e47

SHA1
379b010fb2c8089a5f83d15fbf315560e962f721

SHA256
787b88cbb551ba25e3d9406c9aea458d6513b1f90e6c4019e02a9200d5ec11e6

SHA512
8fd9088bd5ddbe75c7d8331bbd3062501df117a0bf074738695c7326d1d9c6b3bf0fa892c390155367cba5d9009eb811f257332eee8b504ce14425b90aab6140

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\ipv6.dll

Filesize
81KB

MD5
e4cf3d5ce07925de8ef6188db4ee038c

SHA1
b3900e7dab0c6dc2fda85e73f704b05a1fabd78e

SHA256
88dbccf164889ed592669fe1e280883cdfda8f1621134dc09f8b297432886d31

SHA512
1f1641b774626d3366a64a2645294a6e97ff8ac4ca21e488217e6a19a7ac00f01f71db7067223747d36fdaa386d6dda3ff73df061d00f2203ad5c998eeb6dfd6

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\isdn.dll

Filesize
57KB

MD5
f47304e4673b51e65889ab64381d7262

SHA1
5543721ff695c9009c5e3fb10af05f88edc0ddaf

SHA256
eacdcba89c40d41148f3bca6678e1a5d5811be8bac94befe8bc2e160976d37bb

SHA512
d95322f5a2fdf1a083cf00a5520cecabb7d6c5cb5084de05bd2f4540d1d4b00004e5154d30813440cc34768baecf2d585079fc3434a957adee4965453172e25e

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\kvm.dll

Filesize
64KB

MD5
01d8aeaa3181b7239527f950b46d779c

SHA1
8ff2256528d88d06b9d6583527ab662c06af8cbb

SHA256
926048fabfc04eb2ff729971108d4142c3e08a6af9b13d45fa2897d3905ab618

SHA512
f889f7c3c90c0186e8ebf1731eb2038f6294fe71f8a051af253149c05dd5e078c5538245e04437f211e56e599fae67c9135564710b42a7651cc71af4e8183865

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\lcd.dll

Filesize
58KB

MD5
e28f8f8b93f92ec8e749b437bf2aeca1

SHA1
20af80a3a597b34906e3b3924caa4021cd0f707f

SHA256
e8a6c8bc42e8295207260e4385778b339384f3405f979aed0605f7c5a4995110

SHA512
86177f42b73e97fc66af2f8184194d95d850b5253796363f143c811826c4b5f8c2ca2d572641f75c2a39b7e6eea376da1c0756c8020268c479b85ff282930c63

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\mpls.dll

Filesize
79KB

MD5
3eb2e7187c02545fc8898d915adc7624

SHA1
3b0daedacc45f19d70304d41c7b113e7b1e48f68

SHA256
c1e5017968675258d95552e7eb9983d4152b771966eac4a634e28a01e22d8e5b

SHA512
5c0565c0debb7c34605496371fe03208d1c74c814724a7cf264af26b562d3fb4952c3e1792ceff2548f4ed9f82c895111623157ec8d206ceccf4d2c8e2c9e30d

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\ntp.dll

Filesize
59KB

MD5
d35f876de303a363668f7242b855b2a9

SHA1
2f35d7ecb05b81b2d9cb42bcf54554485a8e5922

SHA256
48c86bf55471ba7e9d1dd64c0732a1b12ceb98aa20ba284d9bdf6807ef461de6

SHA512
581f4524c421888ec6b20c2bd194b04af62d5fa65786e9a5c870b5f2d1c1feafff717664faa576ea6ecea5610c581b90958d5ebade61ea647a2af6b1ebd8ec91

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\pim.dll

Filesize
71KB

MD5
349b1971f2a3ed20354e7da8fa978c52

SHA1
182b1d376b0c62839c11062051039c3243dc2231

SHA256
d8f761324112bc7f0b650cf929b64176c510c2fa84f842ed9ac4f9c60b61b72d

SHA512
0552b0cfb6f4944a53db734ac87ad20318245c2f1fbf3b9dd9bd69a725efccf8dd5db17d897b3d555f04c6378ba547defc4826e490300fe4c37712d8e2ca445e

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\ppp.dll

Filesize
90KB

MD5
8568de1a12e62851aae629e4d00e0aea

SHA1
3b927c55b7861be7b33fbaeec6840971545f2c94

SHA256
30731a4185273e3b6867e55ee4e70bd3aa47ecb24cc89f93d35f77351cc49c87

SHA512
ab1d60e55ef3c81f85aa3c80174210ca52532b4625559c4473d4b1bc692aac818e801f44933bea3102c70943b8cf0e3f309ccb0b5bfe5e301fde6c0efc2d2ee0

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\rb.dll

Filesize
63KB

MD5
6a09d9ff38b13df9117eb015fa7d41ad

SHA1
4ac77e79836fbbd86fd92a9dc1e225e5f52b763c

SHA256
6560a5942dbc4d06ad4a66fcc90cc02934345e775eab9afd2be0d2e351d04123

SHA512
7f3fb9bbf668f9781cfe380fa044d083ffe80b8a73ab130c089f2ca8e5d3ef4606777c636d1caa297f74058eb796f1f66f6c478359c230c5e3dd6cc04d9ba501

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\roteros.dll

Filesize
1.6MB

MD5
12e05e47421b9281611b37fe080f350d

SHA1
1e6a009e271f18719616e9a275a49923e4323e3f

SHA256
51158d15aa5fb913a54a4f912ee9f113a4015d65874d1254544f62684532c419

SHA512
c2bafaf6f769f0818df9a66d99fef3e7ee0692ef087f087a800bbdf658871cb353ecc432aab5a4e44cd42635fd6772c3a52fce9ae5419ad032896e7f44579038

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\roting4.dll

Filesize
116KB

MD5
e257a9d9fe649ec13e66919be828e364

SHA1
e4073afe8b8814088101df96e0e71201bb30cbe8

SHA256
7d3239fa0a653fe5be30760770b897e41f1d6abc1b3e42d23a404bd102734709

SHA512
10882eef5447eecc0b7dfe6772b0409eb10da1109029f080090901939ba7e8113a39b474c894c79ce530d6ecf5331b49e8774936fad9855a3612e0634417d8b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\secure.dll

Filesize
90KB

MD5
5ffb0b316ed21c5ada7ff10b4c322c98

SHA1
789374ab4e483db809206e7b30801b9c3e3fcb33

SHA256
ac762c06ee8295ef2587332584440be582102e96a4008bd82b40d6efe480563d

SHA512
121788888a0add3fef0879075fe8c0bdd6883b3da27886b607597469172b92ed69e56b76be4e1693171d9b0c0080c29f20b02be9a70d2959d6795bf7f2b30ecc

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\system.dll

Filesize
10KB

MD5
a35668d1ab99ec903988f3fd750faa35

SHA1
55add84f05201172e7d2668fafa6c71200303c1e

SHA256
63b55d315c15056f70461d354f23be258d810ff500707595410567e4d8f25dfd

SHA512
67e23ba329ec1c0e48fc7fb1e0b7ee47cab3cf62002cb3bdcd0707a71766988eeb915470ebb07b5cd21081c03fdcaec15d6b5fac97f9151585dfb8b52d8dcf55

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\ups.dll

Filesize
60KB

MD5
b870e4a3b58d7057d53143b29be75f0e

SHA1
e8eff5386a7ad562af83e34c7a9fa65b0af2be24

SHA256
f3333e58b499cd6fb5b7f9352f057922c4268c5438690193518cc18ea5692dbf

SHA512
3bfe96f8de451e1cc7b016acdb0e83ead5228361d993ae6557f1fbd511914ef3c22bdb26b653a3f3e07c310c952406a9cc2d9909821c7963fcbd2e4e76cfaf05

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\5.24-1061744751\wlan4.dll

Filesize
128KB

MD5
1e6a174881dc82701676beb8e0241858

SHA1
2cc32074abef3d5a9fdc11c823d78036d318f7e0

SHA256
47696ee247f5bfb6cc78e577a4f6341fad6e50428e8068185611fb0b5fcffea0

SHA512
1bcbf1dc4c34ba35ae8666cbd3b66da84a8e7e064d0f74bc4d74b0273c8ab805b5f83a1e859f0884807691408b28ecd1df2b8498e18e0f0eaeccdd2137ccf399

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\winbox.exe

Filesize
111KB

MD5
27fc00be3e5f4c646f8c7bae390a800f

SHA1
0ef98288062cea01155804a41dbb36444a3e630d

SHA256
fdff60124f14d29971fcf1cee6d248639c3ea0b4c82f7e0d9461edb68f416a27

SHA512
4e83bcb42ef84d8f72b3f3cefa1cc1a0d64d49cad2b9fd67a10dc90676eeac542a88d64f1d1e9b7855688e95712c2eb06fa8bba6a4940ac1b2bc01d39339c383

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\winbox.exe

Filesize
111KB

MD5
27fc00be3e5f4c646f8c7bae390a800f

SHA1
0ef98288062cea01155804a41dbb36444a3e630d

SHA256
fdff60124f14d29971fcf1cee6d248639c3ea0b4c82f7e0d9461edb68f416a27

SHA512
4e83bcb42ef84d8f72b3f3cefa1cc1a0d64d49cad2b9fd67a10dc90676eeac542a88d64f1d1e9b7855688e95712c2eb06fa8bba6a4940ac1b2bc01d39339c383

Download Submit
C:\Users\Admin\Application Data\Mikrotik\Winbox\winbox.exe

Filesize
111KB

MD5
27fc00be3e5f4c646f8c7bae390a800f

SHA1
0ef98288062cea01155804a41dbb36444a3e630d

SHA256
fdff60124f14d29971fcf1cee6d248639c3ea0b4c82f7e0d9461edb68f416a27

SHA512
4e83bcb42ef84d8f72b3f3cefa1cc1a0d64d49cad2b9fd67a10dc90676eeac542a88d64f1d1e9b7855688e95712c2eb06fa8bba6a4940ac1b2bc01d39339c383

Download Submit
memory/1800-360-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download