44dc90e976e86930eb9a61f6b2ee56c301b6c7d0e2db2619b147d242761f354c

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2023 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44dc90e976e86930eb9a61f6b2ee56c301b6c7d0e2db2619b147d242761f354c.exe
Size

365KB
MD5

0b7f0fc0b1bffd64a565c18e485721f7
SHA1

e471f5720f103208cb28a305ae18603ad26ae745
SHA256

44dc90e976e86930eb9a61f6b2ee56c301b6c7d0e2db2619b147d242761f354c
SHA512

3967183d7c35d4dc50e7b24d040c8f6849984fb24b352114db46bb46911e771ce96b27096bbb133e5672c69c3c31efb424949eb6b19bea6aa169f7c1e40f031f
SSDEEP

6144:V2ekvIpXOtGmGy7udngCfhUPwunujaB6fiZEas:VHoEXgGmGyidngaijn5B6fiZB

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	44dc90e976e86930eb9a61f6b2ee56c301b6c7d0e2db2619b147d242761f354c.exe

Executes dropped EXE 1 IoCs

pid	Process
4948	1985934122.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1152	1728	WerFault.exe	84

Kills process with taskkill 1 IoCs

evasion

pid	Process
4132	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4132	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 4956	1728	44dc90e976e86930eb9a61f6b2ee56c301b6c7d0e2db2619b147d242761f354c.exe	86
PID 1728 wrote to memory of 4956	1728	44dc90e976e86930eb9a61f6b2ee56c301b6c7d0e2db2619b147d242761f354c.exe	86
PID 1728 wrote to memory of 4956	1728	44dc90e976e86930eb9a61f6b2ee56c301b6c7d0e2db2619b147d242761f354c.exe	86
PID 4956 wrote to memory of 4948	4956	cmd.exe	88
PID 4956 wrote to memory of 4948	4956	cmd.exe	88
PID 4956 wrote to memory of 4948	4956	cmd.exe	88
PID 1728 wrote to memory of 492	1728	44dc90e976e86930eb9a61f6b2ee56c301b6c7d0e2db2619b147d242761f354c.exe	96
PID 1728 wrote to memory of 492	1728	44dc90e976e86930eb9a61f6b2ee56c301b6c7d0e2db2619b147d242761f354c.exe	96
PID 1728 wrote to memory of 492	1728	44dc90e976e86930eb9a61f6b2ee56c301b6c7d0e2db2619b147d242761f354c.exe	96
PID 492 wrote to memory of 4132	492	cmd.exe	99
PID 492 wrote to memory of 4132	492	cmd.exe	99
PID 492 wrote to memory of 4132	492	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\44dc90e976e86930eb9a61f6b2ee56c301b6c7d0e2db2619b147d242761f354c.exe
"C:\Users\Admin\AppData\Local\Temp\44dc90e976e86930eb9a61f6b2ee56c301b6c7d0e2db2619b147d242761f354c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1985934122.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\1985934122.exe
    "C:\Users\Admin\AppData\Local\Temp\1985934122.exe"
    3⤵
    - Executes dropped EXE
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "44dc90e976e86930eb9a61f6b2ee56c301b6c7d0e2db2619b147d242761f354c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\44dc90e976e86930eb9a61f6b2ee56c301b6c7d0e2db2619b147d242761f354c.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "44dc90e976e86930eb9a61f6b2ee56c301b6c7d0e2db2619b147d242761f354c.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1292
  2⤵
  - Program crash
  PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1728 -ip 1728
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1985934122.exe

Filesize
243KB

MD5
8c70a0939fc6c14a23b69cbb81a2c0cf

SHA1
bc6f17b4bb478800abe9f9e97ded138cefa79e83

SHA256
7bee27d079d83f067c4ae534a281959788b85ca8fc6db7ea10c31db2ffcadaff

SHA512
5e217686f25fb670b762b222289f1338587b1548f56a934ebdc0ad4ee9219ca2b496cf5b134d23492aace091ce7e97d86bd09614dd5db5e09550f8dfdc3bb5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1985934122.exe

Filesize
243KB

MD5
8c70a0939fc6c14a23b69cbb81a2c0cf

SHA1
bc6f17b4bb478800abe9f9e97ded138cefa79e83

SHA256
7bee27d079d83f067c4ae534a281959788b85ca8fc6db7ea10c31db2ffcadaff

SHA512
5e217686f25fb670b762b222289f1338587b1548f56a934ebdc0ad4ee9219ca2b496cf5b134d23492aace091ce7e97d86bd09614dd5db5e09550f8dfdc3bb5a9

Download Submit
memory/1728-1-0x0000000002610000-0x0000000002710000-memory.dmp

Filesize
1024KB

Download
memory/1728-2-0x0000000002560000-0x000000000259E000-memory.dmp

Filesize
248KB

Download
memory/1728-3-0x0000000000400000-0x00000000022A1000-memory.dmp

Filesize
30.6MB

Download
memory/1728-13-0x0000000002610000-0x0000000002710000-memory.dmp

Filesize
1024KB

Download
memory/1728-14-0x0000000000400000-0x00000000022A1000-memory.dmp

Filesize
30.6MB

Download
memory/1728-15-0x0000000002560000-0x000000000259E000-memory.dmp

Filesize
248KB

Download