2287d9df1d3b4c41a4c59f99663a73ff43f132b810d11447a88dce9ed9fbcd1d

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2023 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21568cdcb1e9acexeexeexeex.exe
Size

29KB
MD5

21568cdcb1e9ac4e0f92b67dd684781a
SHA1

d00a4650d2987ef91bb7b743fe5421c6541ac545
SHA256

2287d9df1d3b4c41a4c59f99663a73ff43f132b810d11447a88dce9ed9fbcd1d
SHA512

23404f8fc39bb3bc70f1bef0e3c6b4619c8530506237af0240ec60f968d6822bee6c3d1f493269af964ea239487460fcbda3245cedb64f046b45a951a904280c
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUr766SJgKHJ4jHm5Sm:bA74zYcgT/Ekd0ryfjQRSOam4Sm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	21568cdcb1e9acexeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
3404	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 3404	760	21568cdcb1e9acexeexeexeex.exe	84
PID 760 wrote to memory of 3404	760	21568cdcb1e9acexeexeexeex.exe	84
PID 760 wrote to memory of 3404	760	21568cdcb1e9acexeexeexeex.exe	84

C:\Users\Admin\AppData\Local\Temp\21568cdcb1e9acexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\21568cdcb1e9acexeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:760
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:3404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
30KB

MD5
8ee207e509e9eefa7a8fdfc0f0404b8e

SHA1
71e3c7ea84dc5d8af71a36e15794f8d9def7fcbe

SHA256
7e6734df3eaaebdd3e6e21a7c6846ff92b7dbd66121bb1bdcd3a53f48e150a5e

SHA512
e954119a007c330c6a1d4477f13fddf104d77b66f3b3615c546e61447c997b9e52b320da63cccadfb86138c85ae4f349d71c0f97b589289de8716ff7d9ef32c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
30KB

MD5
8ee207e509e9eefa7a8fdfc0f0404b8e

SHA1
71e3c7ea84dc5d8af71a36e15794f8d9def7fcbe

SHA256
7e6734df3eaaebdd3e6e21a7c6846ff92b7dbd66121bb1bdcd3a53f48e150a5e

SHA512
e954119a007c330c6a1d4477f13fddf104d77b66f3b3615c546e61447c997b9e52b320da63cccadfb86138c85ae4f349d71c0f97b589289de8716ff7d9ef32c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
30KB

MD5
8ee207e509e9eefa7a8fdfc0f0404b8e

SHA1
71e3c7ea84dc5d8af71a36e15794f8d9def7fcbe

SHA256
7e6734df3eaaebdd3e6e21a7c6846ff92b7dbd66121bb1bdcd3a53f48e150a5e

SHA512
e954119a007c330c6a1d4477f13fddf104d77b66f3b3615c546e61447c997b9e52b320da63cccadfb86138c85ae4f349d71c0f97b589289de8716ff7d9ef32c5

Download Submit
memory/760-133-0x00000000020B0000-0x00000000020B6000-memory.dmp

Filesize
24KB

Download
memory/760-134-0x0000000003120000-0x0000000003126000-memory.dmp

Filesize
24KB

Download
memory/3404-149-0x0000000000700000-0x0000000000706000-memory.dmp

Filesize
24KB

Download