45d0896cc87cf7edadcf12f2b2b872903f1de6ace18e228f8036472bf81060e2

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fdb73744323cbexeexeexeex.exe
Size

26KB
MD5

9fdb73744323cb9da571bfd884162602
SHA1

117a1e29023f5ca0f22dbe65491ee6a308924b1b
SHA256

45d0896cc87cf7edadcf12f2b2b872903f1de6ace18e228f8036472bf81060e2
SHA512

cd972760ef70a35d75d0b4c118ccee0407248d157eb023553a2f09fa6150dc4a9b0dbe541cb583ed25e6ce8400891a058a775c8b16c23d86705cdd8fd1ad04d9
SSDEEP

384:bIDl1ovmXAw9PMDREhi9OUSPlRxMc/cip7IAfjDb4YWV:bIDOw9UiaCHfjnIV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	9fdb73744323cbexeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
4944	lossy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 4944	5044	9fdb73744323cbexeexeexeex.exe	84
PID 5044 wrote to memory of 4944	5044	9fdb73744323cbexeexeexeex.exe	84
PID 5044 wrote to memory of 4944	5044	9fdb73744323cbexeexeexeex.exe	84

C:\Users\Admin\AppData\Local\Temp\9fdb73744323cbexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\9fdb73744323cbexeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
27KB

MD5
fd0a2276db2ad4d89402facd464440b4

SHA1
1ab93f5f62edc8882d1cb2b96b948b8ff3ae8829

SHA256
a10276a270b934e4e399cbd9f451d150624491db4a2cfa1f37d0731fbeb825f4

SHA512
0b4120a2ae2a1156aa8c0e9cc19d3f9b130cab7c278b157664ef71ad72f48343b0bede47794c0712e8c6584d2bb26a2695973b4cf70f5e0991ece894b61f91eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
27KB

MD5
fd0a2276db2ad4d89402facd464440b4

SHA1
1ab93f5f62edc8882d1cb2b96b948b8ff3ae8829

SHA256
a10276a270b934e4e399cbd9f451d150624491db4a2cfa1f37d0731fbeb825f4

SHA512
0b4120a2ae2a1156aa8c0e9cc19d3f9b130cab7c278b157664ef71ad72f48343b0bede47794c0712e8c6584d2bb26a2695973b4cf70f5e0991ece894b61f91eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
27KB

MD5
fd0a2276db2ad4d89402facd464440b4

SHA1
1ab93f5f62edc8882d1cb2b96b948b8ff3ae8829

SHA256
a10276a270b934e4e399cbd9f451d150624491db4a2cfa1f37d0731fbeb825f4

SHA512
0b4120a2ae2a1156aa8c0e9cc19d3f9b130cab7c278b157664ef71ad72f48343b0bede47794c0712e8c6584d2bb26a2695973b4cf70f5e0991ece894b61f91eb

Download Submit
memory/4944-149-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/5044-133-0x0000000000580000-0x0000000000586000-memory.dmp

Filesize
24KB

Download
memory/5044-134-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download