fa389da412cee2566e8f9373c3562d685c3e3747aebb33594ec1ffb54c7a2806

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb84a7655c2ba1exeexeexeex.exe
Size

35KB
MD5

bb84a7655c2ba1cbcb968fcfa60a88d6
SHA1

86d1a8d5525efda87563dc1fe97e56583d066512
SHA256

fa389da412cee2566e8f9373c3562d685c3e3747aebb33594ec1ffb54c7a2806
SHA512

b739290f1bd1b67e6b7410d9925f68b071f29dbb9d9ba2478ea5c2754f23f708afd07aa85bebcc72ef364093f34494b8854276b194a7e83334eb512bff41d112
SSDEEP

384:bgX4uGLLQRcsdeQ7/nQu63Ag7YmecFanrlwfjDUkKDfWf6XT+0vJsg5b5Uc:bgX4zYcgTEu6QOaryfjqDlC6JFbKc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	bb84a7655c2ba1exeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
1608	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1608	1200	bb84a7655c2ba1exeexeexeex.exe	84
PID 1200 wrote to memory of 1608	1200	bb84a7655c2ba1exeexeexeex.exe	84
PID 1200 wrote to memory of 1608	1200	bb84a7655c2ba1exeexeexeex.exe	84

C:\Users\Admin\AppData\Local\Temp\bb84a7655c2ba1exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\bb84a7655c2ba1exeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
35KB

MD5
09d69f10442bfcf7cef0206583385a83

SHA1
031c2e33b5fa30e131cc02286640f9af2f6e5768

SHA256
5fd08bf401180d8ece559ef5af3c446982d4e8898a6ea1350ecf2b74ed4fc896

SHA512
8dd1580c68352c0cbfe3cc85ae2d2196d9f02f9b45047949ea34b5bc0f586873fe0a5cc200dd96b293c0752856c0a2ba440660b85b7811f5415305cc572c7290

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
35KB

MD5
09d69f10442bfcf7cef0206583385a83

SHA1
031c2e33b5fa30e131cc02286640f9af2f6e5768

SHA256
5fd08bf401180d8ece559ef5af3c446982d4e8898a6ea1350ecf2b74ed4fc896

SHA512
8dd1580c68352c0cbfe3cc85ae2d2196d9f02f9b45047949ea34b5bc0f586873fe0a5cc200dd96b293c0752856c0a2ba440660b85b7811f5415305cc572c7290

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
35KB

MD5
09d69f10442bfcf7cef0206583385a83

SHA1
031c2e33b5fa30e131cc02286640f9af2f6e5768

SHA256
5fd08bf401180d8ece559ef5af3c446982d4e8898a6ea1350ecf2b74ed4fc896

SHA512
8dd1580c68352c0cbfe3cc85ae2d2196d9f02f9b45047949ea34b5bc0f586873fe0a5cc200dd96b293c0752856c0a2ba440660b85b7811f5415305cc572c7290

Download Submit
memory/1200-133-0x0000000002E70000-0x0000000002E76000-memory.dmp

Filesize
24KB

Download
memory/1200-134-0x0000000003120000-0x0000000003126000-memory.dmp

Filesize
24KB

Download
memory/1608-149-0x0000000002FE0000-0x0000000002FE6000-memory.dmp

Filesize
24KB

Download