693a88878e5c87f13a6dee50f9aac95a5fa6cb4865f43b7f5edc93645baba185

Analysis

max time kernel
144s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2023, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

693a88878e5c87f13a6dee50f9aac95a5fa6cb4865f43b7f5edc93645baba185.exe
Size

2.0MB
MD5

e52424ae97ec97323009c913cbd3ad18
SHA1

fce1e805fb34525e02eb56b644bc737d95c86128
SHA256

693a88878e5c87f13a6dee50f9aac95a5fa6cb4865f43b7f5edc93645baba185
SHA512

f695d91acd88b7b93393f607acbd1282946504b4b629f55d0771dda19c009d54fb17d118f9a9c7982d5f96ce23b2080a51761af53fbbf35da5ee2cd0c3cb7f03
SSDEEP

49152:OCWhF7BfJXAEsH8UEByuRW/NMVvBo8xqV/AjvFaG:OCWhF7BfKEw8UEiMVvHxqVoT9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	693a88878e5c87f13a6dee50f9aac95a5fa6cb4865f43b7f5edc93645baba185.exe

Loads dropped DLL 1 IoCs

pid	Process
4364	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 4364	1200	693a88878e5c87f13a6dee50f9aac95a5fa6cb4865f43b7f5edc93645baba185.exe	85
PID 1200 wrote to memory of 4364	1200	693a88878e5c87f13a6dee50f9aac95a5fa6cb4865f43b7f5edc93645baba185.exe	85
PID 1200 wrote to memory of 4364	1200	693a88878e5c87f13a6dee50f9aac95a5fa6cb4865f43b7f5edc93645baba185.exe	85

C:\Users\Admin\AppData\Local\Temp\693a88878e5c87f13a6dee50f9aac95a5fa6cb4865f43b7f5edc93645baba185.exe
"C:\Users\Admin\AppData\Local\Temp\693a88878e5c87f13a6dee50f9aac95a5fa6cb4865f43b7f5edc93645baba185.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s .\HZuRbZ.tUY
  2⤵
  - Loads dropped DLL
  PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HZuRbZ.tUY

Filesize
1.4MB

MD5
2a518abf6e36c512d784375f182db8c6

SHA1
e68df236d8edb8caf5efa3a1b9854cade4bbc532

SHA256
09c5e4c3510fdca84e89789703ce69dc199497034b866d6d319bf59edfd5f455

SHA512
1424a430cc2d231a47db5c8bba5b0274b7d2039789bb3cc68f01e0c34b4b6e03472e50fe3560ad1706a90dcec5755ee0a42334de671633536a4ef126247f2dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZurbz.tuY

Filesize
1.4MB

MD5
2a518abf6e36c512d784375f182db8c6

SHA1
e68df236d8edb8caf5efa3a1b9854cade4bbc532

SHA256
09c5e4c3510fdca84e89789703ce69dc199497034b866d6d319bf59edfd5f455

SHA512
1424a430cc2d231a47db5c8bba5b0274b7d2039789bb3cc68f01e0c34b4b6e03472e50fe3560ad1706a90dcec5755ee0a42334de671633536a4ef126247f2dc3

Download Submit
memory/4364-138-0x0000000000400000-0x0000000000567000-memory.dmp

Filesize
1.4MB

Download
memory/4364-137-0x0000000000ED0000-0x0000000000ED6000-memory.dmp

Filesize
24KB

Download
memory/4364-141-0x0000000002C90000-0x0000000002DA0000-memory.dmp

Filesize
1.1MB

Download
memory/4364-143-0x0000000002DA0000-0x0000000002E95000-memory.dmp

Filesize
980KB

Download
memory/4364-142-0x0000000002DA0000-0x0000000002E95000-memory.dmp

Filesize
980KB

Download
memory/4364-145-0x0000000002DA0000-0x0000000002E95000-memory.dmp

Filesize
980KB

Download
memory/4364-146-0x0000000002DA0000-0x0000000002E95000-memory.dmp

Filesize
980KB

Download