c8733d8c2d5aecc6e555444e5253a6500653e6fc73e9ece2fe0c410dec1e55ba

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/07/2023, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca9f6670403315_JC.exe
Size

28KB
MD5

ca9f66704033154821cfcc445fe88814
SHA1

fd8cd04ae2c34106bb0b4ca3c220c3a85d492e45
SHA256

c8733d8c2d5aecc6e555444e5253a6500653e6fc73e9ece2fe0c410dec1e55ba
SHA512

1dfb38264943549787de648aac7574addba85ab3349abcb76f3eee86bfe90dfa05aac8833bf20e44031192783c188eb0edcf0c62f312fddfd9be8bf2b0451201
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUZ0psObGqWB+:bA74zYcgT/Ekd0ryfjeRtB+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	ca9f6670403315_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
1584	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1584	1832	ca9f6670403315_JC.exe	85
PID 1832 wrote to memory of 1584	1832	ca9f6670403315_JC.exe	85
PID 1832 wrote to memory of 1584	1832	ca9f6670403315_JC.exe	85

C:\Users\Admin\AppData\Local\Temp\ca9f6670403315_JC.exe
"C:\Users\Admin\AppData\Local\Temp\ca9f6670403315_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
28KB

MD5
5a6c8455b6005f18fd144cb252e59e93

SHA1
20532c3da4e5c689c53b3b7f3f56fcb2f833e188

SHA256
f4189dc2ef4f419a301b1021ee3ceed4412a9382e584f34b5cf0d239d64e5b59

SHA512
29081c850778402c84e85f299e220f477e9c372eeb56c179b30925e165949f26fb1c6168f536900ab9d598b0a6d223b2afa411bc52d913b718fb664596911e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
28KB

MD5
5a6c8455b6005f18fd144cb252e59e93

SHA1
20532c3da4e5c689c53b3b7f3f56fcb2f833e188

SHA256
f4189dc2ef4f419a301b1021ee3ceed4412a9382e584f34b5cf0d239d64e5b59

SHA512
29081c850778402c84e85f299e220f477e9c372eeb56c179b30925e165949f26fb1c6168f536900ab9d598b0a6d223b2afa411bc52d913b718fb664596911e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
28KB

MD5
5a6c8455b6005f18fd144cb252e59e93

SHA1
20532c3da4e5c689c53b3b7f3f56fcb2f833e188

SHA256
f4189dc2ef4f419a301b1021ee3ceed4412a9382e584f34b5cf0d239d64e5b59

SHA512
29081c850778402c84e85f299e220f477e9c372eeb56c179b30925e165949f26fb1c6168f536900ab9d598b0a6d223b2afa411bc52d913b718fb664596911e2f

Download Submit
memory/1584-153-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download
memory/1584-154-0x0000000002020000-0x0000000002026000-memory.dmp

Filesize
24KB

Download
memory/1832-136-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/1832-137-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/1832-138-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download