b105a12dbcbb61ada306800f7a437baa86eccbf96c50cafab0ad8c9495d3266c

Analysis

max time kernel
110s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2023 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b105a12dbcbb61ada306800f7a437baa86eccbf96c50cafab0ad8c9495d3266c.exe
Size

2.0MB
MD5

50e1acd375a7cc9647fc4abbd8b599e7
SHA1

e93d32a1c5be753762c3f73da5b63b3d443a2491
SHA256

b105a12dbcbb61ada306800f7a437baa86eccbf96c50cafab0ad8c9495d3266c
SHA512

50356af1369fdca9603ecedf32243e677841b7697f599301ffb23d081cf71e041894b7785a0d151abe7db5349f0357b5ec682695c2fc379857677f9f94b4f030
SSDEEP

24576:KgA5jl65iL4IwDhT86lswBHno5tooK6BOi9BYoH/:A5ZEPDhsOno56oH9BYof

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	b105a12dbcbb61ada306800f7a437baa86eccbf96c50cafab0ad8c9495d3266c.exe

Executes dropped EXE 1 IoCs

pid	Process
1360	ACUninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1360	ACUninstall.exe
1360	ACUninstall.exe
1360	ACUninstall.exe
1360	ACUninstall.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 1360	4312	b105a12dbcbb61ada306800f7a437baa86eccbf96c50cafab0ad8c9495d3266c.exe	84
PID 4312 wrote to memory of 1360	4312	b105a12dbcbb61ada306800f7a437baa86eccbf96c50cafab0ad8c9495d3266c.exe	84
PID 4312 wrote to memory of 1360	4312	b105a12dbcbb61ada306800f7a437baa86eccbf96c50cafab0ad8c9495d3266c.exe	84

C:\Users\Admin\AppData\Local\Temp\b105a12dbcbb61ada306800f7a437baa86eccbf96c50cafab0ad8c9495d3266c.exe
"C:\Users\Admin\AppData\Local\Temp\b105a12dbcbb61ada306800f7a437baa86eccbf96c50cafab0ad8c9495d3266c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\ACUninstall.exe
  "C:\Users\Admin\AppData\Local\Temp\ACUninstall.exe" C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ACUninstall.exe

Filesize
1.5MB

MD5
d07462520367e08006d4b415baec0385

SHA1
22ba8d2c30688d17df300d396bf9020e3d2313a9

SHA256
c97c2f6ad62b38f0729f63b1133795c82ecebed364dbad36e8a15346291f8657

SHA512
b14eae4fbbf0a15d95c506eae4599be6743786d2518f35cf4662497eef9e529a3166d608c8e78706770ddc8ff8efeaa12a4de59dbba070d3b2cbb4f506d7f0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACUninstall.exe

Filesize
1.5MB

MD5
d07462520367e08006d4b415baec0385

SHA1
22ba8d2c30688d17df300d396bf9020e3d2313a9

SHA256
c97c2f6ad62b38f0729f63b1133795c82ecebed364dbad36e8a15346291f8657

SHA512
b14eae4fbbf0a15d95c506eae4599be6743786d2518f35cf4662497eef9e529a3166d608c8e78706770ddc8ff8efeaa12a4de59dbba070d3b2cbb4f506d7f0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACUninstall.exe

Filesize
1.5MB

MD5
d07462520367e08006d4b415baec0385

SHA1
22ba8d2c30688d17df300d396bf9020e3d2313a9

SHA256
c97c2f6ad62b38f0729f63b1133795c82ecebed364dbad36e8a15346291f8657

SHA512
b14eae4fbbf0a15d95c506eae4599be6743786d2518f35cf4662497eef9e529a3166d608c8e78706770ddc8ff8efeaa12a4de59dbba070d3b2cbb4f506d7f0c4

Download Submit