d587be51aa8da3d6ec72c1c3ad9c24c04c5ef97d4da7f8edb9c0ae04f6e111ab

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31-07-2023 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

274KB
MD5

a0bfccb8cc68d350b02287d70507e70d
SHA1

3b274838cd098c2f26ece2928300fe4f1e24a9d4
SHA256

d587be51aa8da3d6ec72c1c3ad9c24c04c5ef97d4da7f8edb9c0ae04f6e111ab
SHA512

2e697d859c3c40acf033b20716fd2ecf427dbd85db470fd42907090b17dd73b7ba2506a9c56836d75f9f52ffead67258c7fb24de03715293d63ba0c349ff8cec
SSDEEP

6144:PYa689fXW3LMiiTEqOyYKFEZWAQoAALLg6UM6KYUvjuyT2XH9PDD0:PYS9fXW+TEqdXkLg6YUrui2Xd7D0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Control Panel\International\Geo\Nation	tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2676	tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 2012	2676	tmp.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe
2012	tmp.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2676	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	tmp.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2012	2676	tmp.exe	28
PID 2676 wrote to memory of 2012	2676	tmp.exe	28
PID 2676 wrote to memory of 2012	2676	tmp.exe	28
PID 2676 wrote to memory of 2012	2676	tmp.exe	28
PID 2676 wrote to memory of 2012	2676	tmp.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsjBB27.tmp\wkybeb.dll

Filesize
49KB

MD5
9da370474c2a7427495e83bed70b87ab

SHA1
de2b22ba5cf618e0fc6ff30a8927820f1544068a

SHA256
9cba1183ed6a9a89a34805730da01edaed2026b3d3cad0e3ef9710fbeb3ec442

SHA512
bc736a5dcf5d6e227773dd59747eeb0f0035f09bc93bb85d9dc78c48e1fa62a17cef3f200102a47b94fe868020caf52aa0e3cc93b93d26db483b46e5f7aef54a

Download Submit
memory/2012-62-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2012-63-0x0000000000780000-0x0000000000A83000-memory.dmp

Filesize
3.0MB

Download
memory/2012-64-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2676-61-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download