f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2023 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a.exe
Size

1.9MB
MD5

b1652f2b4cd5bdc366e751dee52a073e
SHA1

c6014e156e0abba8e31d4683c49f5ba2e3f0732a
SHA256

f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a
SHA512

52d0e9a16484301d0c805cd124625f4903cd0fd6d8f6eb23e195e4a8abe28fa65d512b4c382216144d20dd9b5bc776c231f68cda69359effc0c71e673a0e97c5
SSDEEP

24576:UW6VXRhhnzyhPIVcz9XUIRmQpLKcxafX0djRbEcPQ5Aeax+q4GZSKSnB3kqA9yoY:p6zyhPIaJXRmQZAXCjfwB4QKSnBUFmtT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 4856	3560	f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a.exe	87
PID 3560 wrote to memory of 4856	3560	f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a.exe	87
PID 3560 wrote to memory of 4856	3560	f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a.exe	87
PID 4856 wrote to memory of 3364	4856	cmd.exe	90
PID 4856 wrote to memory of 3364	4856	cmd.exe	90
PID 4856 wrote to memory of 3364	4856	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a.exe
"C:\Users\Admin\AppData\Local\Temp\f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\工具条设置.bat" /工具条设置.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\mode.com
    mode con cols=60 lines=16
    3⤵
    PID:3364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\工具条设置.BAT

Filesize
285B

MD5
1782b3575feec9e9ef09b22cfe53ba48

SHA1
81b7de2cb701c42a3c4b49779e48cebdcef90202

SHA256
17bd2e2c5fe7d7d960885fff27af03bea6edd9a368bbb08a8170dc822d843af2

SHA512
53ef8036dfc10a68548a2258ac925b59e56321ffa87f35ae728eea66471fce6ceecf6231f566863fb1e692c1fc7d4320406e8dafd8bc27bcffbe96768c55fc59

Download Submit