ea478d9b06c3b33b009e7ea36e5d437837833944993aa4e71d794376bf12d5fd

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 06:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b19e3c2a84adc5cb0e8246430cd289fa.exe
Size

2.7MB
MD5

b19e3c2a84adc5cb0e8246430cd289fa
SHA1

b0736c9c4dc2d1013f3794a604efa965b1cd0cb4
SHA256

ea478d9b06c3b33b009e7ea36e5d437837833944993aa4e71d794376bf12d5fd
SHA512

20cacd684b73d64ec36b9fe1ca6d197c374ab832d079d7756b50f6ef11dba0348bcd6088e2c987dc89f689e1919a4942848d0b3936898c715bbcd8da25438e29
SSDEEP

49152:mDkUrjrxRvdRVQioFIG5Ethdc2tg9eLJshFttFRMHWJDyxgTF1:m4UT4FRuUss/t1iQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	b19e3c2a84adc5cb0e8246430cd289fa.exe

Loads dropped DLL 1 IoCs

pid	Process
3784	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 3784	4992	b19e3c2a84adc5cb0e8246430cd289fa.exe	80
PID 4992 wrote to memory of 3784	4992	b19e3c2a84adc5cb0e8246430cd289fa.exe	80
PID 4992 wrote to memory of 3784	4992	b19e3c2a84adc5cb0e8246430cd289fa.exe	80

C:\Users\Admin\AppData\Local\Temp\b19e3c2a84adc5cb0e8246430cd289fa.exe
"C:\Users\Admin\AppData\Local\Temp\b19e3c2a84adc5cb0e8246430cd289fa.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -S A1Unza.I9E /u
  2⤵
  - Loads dropped DLL
  PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A1Unza.I9E

Filesize
2.6MB

MD5
3d2d034ee85ad8f4c805a12a7bb54e92

SHA1
9ccff644f48923eb085b6147d0e33380dd6d3312

SHA256
4c9133694686d67bcfebb2fceb8253de4c2abfd5e6e9b36e3948a7a1ce688760

SHA512
5786df03cc283f832b3670f7669a0d02be8c15b0e761ec158847f7788b07ac8d4332be0e57924dab687a5448a53a9587aaf630b41f42d21754d98c9156488bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1unza.i9E

Filesize
2.6MB

MD5
3d2d034ee85ad8f4c805a12a7bb54e92

SHA1
9ccff644f48923eb085b6147d0e33380dd6d3312

SHA256
4c9133694686d67bcfebb2fceb8253de4c2abfd5e6e9b36e3948a7a1ce688760

SHA512
5786df03cc283f832b3670f7669a0d02be8c15b0e761ec158847f7788b07ac8d4332be0e57924dab687a5448a53a9587aaf630b41f42d21754d98c9156488bbc

Download Submit
memory/3784-4-0x00000000026D0000-0x00000000026D6000-memory.dmp

Filesize
24KB

Download
memory/3784-5-0x0000000000400000-0x0000000000696000-memory.dmp

Filesize
2.6MB

Download
memory/3784-7-0x0000000002BC0000-0x0000000002CC1000-memory.dmp

Filesize
1.0MB

Download
memory/3784-9-0x0000000002CD0000-0x0000000002DB7000-memory.dmp

Filesize
924KB

Download
memory/3784-8-0x0000000000400000-0x0000000000696000-memory.dmp

Filesize
2.6MB

Download
memory/3784-12-0x0000000002CD0000-0x0000000002DB7000-memory.dmp

Filesize
924KB

Download
memory/3784-13-0x0000000002CD0000-0x0000000002DB7000-memory.dmp

Filesize
924KB

Download