febcfd3442d77df963432848b8a9162b69f11ff95243f727dc1cc758c8911f3a

Analysis

max time kernel
121s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

admin/Hide w drive.exe
Size

87KB
MD5

fa331d2f451c217fd8ff0c929f58b0db
SHA1

46b232edf18e880cb067531372626c0e1f696c38
SHA256

af1f50e992e0e68f30fd152bbd508db1afb09aac1d21f867daebba22f9c3c368
SHA512

93dbf115b935fdc81b5e40e46daca06b3998552437571c52fffa2bdc0bb99a5508d8f29522713d87850a8c186fe441df63422458b7d38225157a497c1963faab
SSDEEP

1536:r7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfyxe:nq6+ouCpk2mpcWJ0r+QNTBfyI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	Hide w drive.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
4108	regedit.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 5040	3856	Hide w drive.exe	85
PID 3856 wrote to memory of 5040	3856	Hide w drive.exe	85
PID 5040 wrote to memory of 4108	5040	cmd.exe	88
PID 5040 wrote to memory of 4108	5040	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\admin\Hide w drive.exe
"C:\Users\Admin\AppData\Local\Temp\admin\Hide w drive.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CC87.tmp\CC88.tmp\CC89.bat "C:\Users\Admin\AppData\Local\Temp\admin\Hide w drive.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\regedit.exe
    REGEDIT /S "C:\Users\Admin\AppData\Local\Temp\~import.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CC87.tmp\CC88.tmp\CC89.bat

Filesize
552B

MD5
9d35bda9ae85b20e89bf9eca5b5804cc

SHA1
7121e43043450a604a01d7bdcc54479ca12ee0c2

SHA256
dc23359e79a19683956763473a8deec99009fb1ba4b526bee954f4a3a4439c3d

SHA512
6d80ef3dfaceaaa6459ac2812f278befdf870137c62afa9c8344f159b751fd9689ed4eb453254430d57f78ab1baf741e47d36309da5ec28ea753a98513f311e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~import.reg

Filesize
149B

MD5
6bcca5c1527b2ee197362076809f0ce7

SHA1
11eb2afb29c604dd6febc0f2ef21795dde0969b0

SHA256
addd4a35685b2df1aa9939ae0ae1df228ebd3da96588ebe793ba1ffb73b5cc77

SHA512
e1c06887ad09e0dac6656b7cd64179f28f0963fb9cddb5ed2b83ad188a830c4fc12b6672c7cccef6cde839851225d00aed582197da10abfd7ff10506abcdbad1

Download Submit