ea478d9b06c3b33b009e7ea36e5d437837833944993aa4e71d794376bf12d5fd

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 06:24 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b19e3c2a84adc5cb0e8246430cd289fa.exe
Size

2.7MB
MD5

b19e3c2a84adc5cb0e8246430cd289fa
SHA1

b0736c9c4dc2d1013f3794a604efa965b1cd0cb4
SHA256

ea478d9b06c3b33b009e7ea36e5d437837833944993aa4e71d794376bf12d5fd
SHA512

20cacd684b73d64ec36b9fe1ca6d197c374ab832d079d7756b50f6ef11dba0348bcd6088e2c987dc89f689e1919a4942848d0b3936898c715bbcd8da25438e29
SSDEEP

49152:mDkUrjrxRvdRVQioFIG5Ethdc2tg9eLJshFttFRMHWJDyxgTF1:m4UT4FRuUss/t1iQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	b19e3c2a84adc5cb0e8246430cd289fa.exe

Loads dropped DLL 1 IoCs

pid	Process
3784	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 3784	4992	b19e3c2a84adc5cb0e8246430cd289fa.exe	80
PID 4992 wrote to memory of 3784	4992	b19e3c2a84adc5cb0e8246430cd289fa.exe	80
PID 4992 wrote to memory of 3784	4992	b19e3c2a84adc5cb0e8246430cd289fa.exe	80

C:\Users\Admin\AppData\Local\Temp\b19e3c2a84adc5cb0e8246430cd289fa.exe
"C:\Users\Admin\AppData\Local\Temp\b19e3c2a84adc5cb0e8246430cd289fa.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -S A1Unza.I9E /u
  2⤵
  - Loads dropped DLL
  PID:3784

Network

DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

8.3.197.209.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.3.197.209.in-addr.arpa

IN PTR

Response

8.3.197.209.in-addr.arpa

IN PTR

vip0x008map2sslhwcdnnet
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

208.194.73.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.194.73.20.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

254.22.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.22.238.8.in-addr.arpa

IN PTR

Response
DNS

64.13.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.13.109.52.in-addr.arpa

IN PTR

Response
DNS

131.72.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.72.42.20.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

8.3.197.209.in-addr.arpa

dns

70 B
111 B
1
1

DNS Request

8.3.197.209.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

208.194.73.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

208.194.73.20.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

254.22.238.8.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

254.22.238.8.in-addr.arpa
8.8.8.8:53

64.13.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

64.13.109.52.in-addr.arpa
8.8.8.8:53

131.72.42.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

131.72.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A1Unza.I9E

Filesize
2.6MB

MD5
3d2d034ee85ad8f4c805a12a7bb54e92

SHA1
9ccff644f48923eb085b6147d0e33380dd6d3312

SHA256
4c9133694686d67bcfebb2fceb8253de4c2abfd5e6e9b36e3948a7a1ce688760

SHA512
5786df03cc283f832b3670f7669a0d02be8c15b0e761ec158847f7788b07ac8d4332be0e57924dab687a5448a53a9587aaf630b41f42d21754d98c9156488bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1unza.i9E

Filesize
2.6MB

MD5
3d2d034ee85ad8f4c805a12a7bb54e92

SHA1
9ccff644f48923eb085b6147d0e33380dd6d3312

SHA256
4c9133694686d67bcfebb2fceb8253de4c2abfd5e6e9b36e3948a7a1ce688760

SHA512
5786df03cc283f832b3670f7669a0d02be8c15b0e761ec158847f7788b07ac8d4332be0e57924dab687a5448a53a9587aaf630b41f42d21754d98c9156488bbc

Download Submit
memory/3784-4-0x00000000026D0000-0x00000000026D6000-memory.dmp

Filesize
24KB

Download
memory/3784-5-0x0000000000400000-0x0000000000696000-memory.dmp

Filesize
2.6MB

Download
memory/3784-7-0x0000000002BC0000-0x0000000002CC1000-memory.dmp

Filesize
1.0MB

Download
memory/3784-9-0x0000000002CD0000-0x0000000002DB7000-memory.dmp

Filesize
924KB

Download
memory/3784-8-0x0000000000400000-0x0000000000696000-memory.dmp

Filesize
2.6MB

Download
memory/3784-12-0x0000000002CD0000-0x0000000002DB7000-memory.dmp

Filesize
924KB

Download
memory/3784-13-0x0000000002CD0000-0x0000000002DB7000-memory.dmp

Filesize
924KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.