5a2b48a69e626d6eadbfe0ffc90af996e988333119e445afb42f7b00fc97baae

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2023 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

147fec435fb0b6exeexeexeex.exe
Size

35KB
MD5

147fec435fb0b62ab8f9e66f4c70deba
SHA1

649c8181d7b8256b8fa950e64a3d0e47522ea72c
SHA256

5a2b48a69e626d6eadbfe0ffc90af996e988333119e445afb42f7b00fc97baae
SHA512

a9c585d7ec02aec707e583337f4157f46c31e6d4be49fd9da77157ecc0b38e413080b82795b4a02553d8ef78013f9da0e5ce5f970c6b9a48f0e6afbff3d028ba
SSDEEP

384:bgX4uGLLQRcsdeQ7/nQu63Ag7YmecFanrlwfjDUkKDfWf6XT+0vJsghbZ/bi:bgX4zYcgTEu6QOaryfjqDlC6JtbZ/O

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	147fec435fb0b6exeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 2708	5040	147fec435fb0b6exeexeexeex.exe	80
PID 5040 wrote to memory of 2708	5040	147fec435fb0b6exeexeexeex.exe	80
PID 5040 wrote to memory of 2708	5040	147fec435fb0b6exeexeexeex.exe	80

C:\Users\Admin\AppData\Local\Temp\147fec435fb0b6exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\147fec435fb0b6exeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
35KB

MD5
c9b11ddc6f1f2a22816d1a4ed41db74d

SHA1
eae809afaa1a652df20e26f6b3f371327c2d9b72

SHA256
161ac2b7033b319d664aef91ae5aff46fe1fef0dca4c50f5e04210910faadd85

SHA512
033c23c626be508882e7f7f9b4d2db5095b785ea1bf4d0edb15e3f21c50d777b1184dfb9aa6ee6dd9b85e9548e31740c54d1fd7ed5664225235f304fe9243f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
35KB

MD5
c9b11ddc6f1f2a22816d1a4ed41db74d

SHA1
eae809afaa1a652df20e26f6b3f371327c2d9b72

SHA256
161ac2b7033b319d664aef91ae5aff46fe1fef0dca4c50f5e04210910faadd85

SHA512
033c23c626be508882e7f7f9b4d2db5095b785ea1bf4d0edb15e3f21c50d777b1184dfb9aa6ee6dd9b85e9548e31740c54d1fd7ed5664225235f304fe9243f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
35KB

MD5
c9b11ddc6f1f2a22816d1a4ed41db74d

SHA1
eae809afaa1a652df20e26f6b3f371327c2d9b72

SHA256
161ac2b7033b319d664aef91ae5aff46fe1fef0dca4c50f5e04210910faadd85

SHA512
033c23c626be508882e7f7f9b4d2db5095b785ea1bf4d0edb15e3f21c50d777b1184dfb9aa6ee6dd9b85e9548e31740c54d1fd7ed5664225235f304fe9243f62

Download Submit
memory/2708-149-0x0000000002FE0000-0x0000000002FE6000-memory.dmp

Filesize
24KB

Download
memory/5040-133-0x00000000020B0000-0x00000000020B6000-memory.dmp

Filesize
24KB

Download
memory/5040-134-0x0000000003120000-0x0000000003126000-memory.dmp

Filesize
24KB

Download