3a121f05f63c8593bc348f091d6a320b8fb7092ac7da21dc8d8639e9fa6a9479

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2023 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e38f80fef9369cexeexeexeex.exe
Size

48KB
MD5

e38f80fef9369cd0851989bd0b2db194
SHA1

e3de5f3debe4081a782424f04c6afc13275db2ab
SHA256

3a121f05f63c8593bc348f091d6a320b8fb7092ac7da21dc8d8639e9fa6a9479
SHA512

a5747a95640b33977f8907b092f4facf7d2d11634c96090fd0557453ff841e9d28729995f7cbd14fe46d2f05d9112c526bfaf3908f050b006c0c4b70a60af727
SSDEEP

768:bIDOw9UiaCHfjnE0Sfa7ilR0p9u6p4Uu6EIEIDKlPoph:bIDOw9a0DwitDwIzDKlPoph

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	e38f80fef9369cexeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
4128	lossy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 4128	3296	e38f80fef9369cexeexeexeex.exe	86
PID 3296 wrote to memory of 4128	3296	e38f80fef9369cexeexeexeex.exe	86
PID 3296 wrote to memory of 4128	3296	e38f80fef9369cexeexeexeex.exe	86

C:\Users\Admin\AppData\Local\Temp\e38f80fef9369cexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\e38f80fef9369cexeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:4128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
48KB

MD5
30f0b0226650bb24786cd8c4e6e2025c

SHA1
f2adc7a1dd197a92ea622c67ec487f83b41f49d0

SHA256
c018a8c73033807b08f5908a6cf4084f74665ed76c10312018f8600a02b9351f

SHA512
4d5a19accf36ec67b06e49195268ef9254ce7b8c31864c3a5bb129b34aa0449764fc5985e072c6cb24ad0c71f994905a6ac5932ff1caaa7ae12a101aff4a3d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
48KB

MD5
30f0b0226650bb24786cd8c4e6e2025c

SHA1
f2adc7a1dd197a92ea622c67ec487f83b41f49d0

SHA256
c018a8c73033807b08f5908a6cf4084f74665ed76c10312018f8600a02b9351f

SHA512
4d5a19accf36ec67b06e49195268ef9254ce7b8c31864c3a5bb129b34aa0449764fc5985e072c6cb24ad0c71f994905a6ac5932ff1caaa7ae12a101aff4a3d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
48KB

MD5
30f0b0226650bb24786cd8c4e6e2025c

SHA1
f2adc7a1dd197a92ea622c67ec487f83b41f49d0

SHA256
c018a8c73033807b08f5908a6cf4084f74665ed76c10312018f8600a02b9351f

SHA512
4d5a19accf36ec67b06e49195268ef9254ce7b8c31864c3a5bb129b34aa0449764fc5985e072c6cb24ad0c71f994905a6ac5932ff1caaa7ae12a101aff4a3d12

Download Submit
memory/3296-133-0x0000000002270000-0x0000000002276000-memory.dmp

Filesize
24KB

Download
memory/3296-134-0x0000000002180000-0x0000000002186000-memory.dmp

Filesize
24KB

Download
memory/4128-149-0x0000000002050000-0x0000000002056000-memory.dmp

Filesize
24KB

Download