b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2023, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe
Size

493KB
MD5

a066bd1a442fa3ce477698fdac265a82
SHA1

0bd235fdf4c5b53f9beb2ab5d8bad24e47b14d6c
SHA256

b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077
SHA512

3a2886331a271be62e886b43e537520961020f5b9416f07dd6e0800d37901451cafc79b2e15ca1074697a77cb946d3ec56840f875fe99399beca82f0a75c77f7
SSDEEP

12288:GgZXEAO/BUdG3gVdt7KsX+tZk0F+rct6ag2I29t6hWfAIi:GgZXoZUTVdt7Kzk0FUXag2INz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe

Executes dropped EXE 1 IoCs

pid	Process
992	steam.exe

Loads dropped DLL 1 IoCs

pid	Process
992	steam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 992	5032	b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe	83
PID 5032 wrote to memory of 992	5032	b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe	83
PID 5032 wrote to memory of 992	5032	b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe	83

C:\Users\Admin\AppData\Local\Temp\b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe
"C:\Users\Admin\AppData\Local\Temp\b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\steam.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\crashhandler.dll

Filesize
8KB

MD5
ad6c097448711213bf8181a3dbea7c18

SHA1
d6603665e144e9c81317731eee738d78b9ec4f40

SHA256
c1da7ad01cef8281118a88367329328c4741021729a5d67f9f911aa21e942936

SHA512
cc7a0b647644e1692b2cd97d6867be3252eab9d461e5d9565ef7f9eefa41de1e5c3078a2ce6d9f4297061193035519522a31b233c4c4a291bbdd4f4666be3a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crashhandler.dll

Filesize
8KB

MD5
ad6c097448711213bf8181a3dbea7c18

SHA1
d6603665e144e9c81317731eee738d78b9ec4f40

SHA256
c1da7ad01cef8281118a88367329328c4741021729a5d67f9f911aa21e942936

SHA512
cc7a0b647644e1692b2cd97d6867be3252eab9d461e5d9565ef7f9eefa41de1e5c3078a2ce6d9f4297061193035519522a31b233c4c4a291bbdd4f4666be3a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\steam.exe

Filesize
581KB

MD5
079c498c46473e8c027c527df8f39f64

SHA1
65d258f2a3b36680bc83e79f971eefe9e58dda62

SHA256
62cf9e4961ee96b6015d90f23ef2fda873c6da59f107d0873bb19f61c5a4ff22

SHA512
a14ff4626b855987cc2ec98b0857d7f3fe3bbb20acd1f7c38fad17c59ccd5dbd8cd0a47ce5a1afc0f83dca4b7909e7a3034d5d3ae1e1dba229f46cdf59c7fde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\steam.exe

Filesize
581KB

MD5
079c498c46473e8c027c527df8f39f64

SHA1
65d258f2a3b36680bc83e79f971eefe9e58dda62

SHA256
62cf9e4961ee96b6015d90f23ef2fda873c6da59f107d0873bb19f61c5a4ff22

SHA512
a14ff4626b855987cc2ec98b0857d7f3fe3bbb20acd1f7c38fad17c59ccd5dbd8cd0a47ce5a1afc0f83dca4b7909e7a3034d5d3ae1e1dba229f46cdf59c7fde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\steam_monitor.exe.log

Filesize
115B

MD5
a1e46537cd7939514d7a3eb0492310c0

SHA1
1232ed28e26ed0ef12e1523007b5774b50b485a2

SHA256
73918665f75b741d1fac75a50c3ecaa2260a5f24690a3a6bc7f19332841cfafe

SHA512
8dcfae86b7758baea786957e4858ec2dbe8db475d6d402b540b6afb94bdff00f8a09d540ae71c3abf210b6ad894365b921aa84bdb267e6d127c9d61bf5f8b179

Download Submit