1296c5c816e15e7238e77b6f563bed4c9e1b4aa38efbc62d9e90c93753dc411b

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2023, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NA_NA_29f273fef8722fexeexe_JC.exe
Size

31KB
MD5

29f273fef8722f329a6542787e3e4509
SHA1

f78f91f680588fe79bc33db2c0b9083d249fdfdd
SHA256

1296c5c816e15e7238e77b6f563bed4c9e1b4aa38efbc62d9e90c93753dc411b
SHA512

ad835e6fcfecfa03beb811a4e552151cc73ad446867c11c33ab94b412d14fe0a1844c8b6bc199e93233fa282272a4e8349b07cc82bce5de308f29f145e20099e
SSDEEP

384:bmM0V/YPvnr801TRoUGPh4TKt6ATt1DqgPa3s/zzoi0WlLYZAM9BWixK:b7o/2n1TCraU6GD1a4X0WlK59xK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	NA_NA_29f273fef8722fexeexe_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	rewok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 2968	3408	NA_NA_29f273fef8722fexeexe_JC.exe	87
PID 3408 wrote to memory of 2968	3408	NA_NA_29f273fef8722fexeexe_JC.exe	87
PID 3408 wrote to memory of 2968	3408	NA_NA_29f273fef8722fexeexe_JC.exe	87

C:\Users\Admin\AppData\Local\Temp\NA_NA_29f273fef8722fexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NA_NA_29f273fef8722fexeexe_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Users\Admin\AppData\Local\Temp\rewok.exe
  "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
  2⤵
  - Executes dropped EXE
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
32KB

MD5
a08215adc9718a7c189f8f0fbbae23ae

SHA1
2afd32a4766749a1e491f6eb949f814f142813c7

SHA256
3a64a287d85485809dc5d8aa642a2dce375f66a3d7bfe4c9dff3af07cddbbc40

SHA512
be730a5c8aa40a4034674e4a9896312c41b63f8277d29f241e711369286366ab20df43f0ee87973d01a5c6f998c7d80498c2287179a288b7ba319f6a05b69892

Download Submit
C:\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
32KB

MD5
a08215adc9718a7c189f8f0fbbae23ae

SHA1
2afd32a4766749a1e491f6eb949f814f142813c7

SHA256
3a64a287d85485809dc5d8aa642a2dce375f66a3d7bfe4c9dff3af07cddbbc40

SHA512
be730a5c8aa40a4034674e4a9896312c41b63f8277d29f241e711369286366ab20df43f0ee87973d01a5c6f998c7d80498c2287179a288b7ba319f6a05b69892

Download Submit
C:\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
32KB

MD5
a08215adc9718a7c189f8f0fbbae23ae

SHA1
2afd32a4766749a1e491f6eb949f814f142813c7

SHA256
3a64a287d85485809dc5d8aa642a2dce375f66a3d7bfe4c9dff3af07cddbbc40

SHA512
be730a5c8aa40a4034674e4a9896312c41b63f8277d29f241e711369286366ab20df43f0ee87973d01a5c6f998c7d80498c2287179a288b7ba319f6a05b69892

Download Submit
memory/2968-153-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/3408-133-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/3408-134-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/3408-135-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download