318bcd1479c2d3b62efa480a94ef18ffd2171cbbee678ffa369d8cc398878f11

Analysis

max time kernel
135s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2023, 08:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f1fe64569eb3987fd8b828fcd251bd394521980c0580bf9c94620b740b777b49.exe
Size

363KB
MD5

8a016364a416c143e233d4f47e76d789
SHA1

4bf4831638d53e6b3e33f00fb53ebd61adeeab7c
SHA256

f1fe64569eb3987fd8b828fcd251bd394521980c0580bf9c94620b740b777b49
SHA512

81c70f7ba05b9cee5bf09bef615c237702b9fdfb239915c16aba3622b076b1230f02eabf99322a5a42679d95494608851b6f3cbf9c0ef0b8aec452ef13f8c45c
SSDEEP

6144:Z5YIBRi2DHYcxEg7LGcKiwGD36xhRv+uGPo:gURircxP1waK9v+u

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	f1fe64569eb3987fd8b828fcd251bd394521980c0580bf9c94620b740b777b49.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3988	4184	WerFault.exe	84

Kills process with taskkill 1 IoCs

evasion

pid	Process
1584	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 3392	4184	f1fe64569eb3987fd8b828fcd251bd394521980c0580bf9c94620b740b777b49.exe	92
PID 4184 wrote to memory of 3392	4184	f1fe64569eb3987fd8b828fcd251bd394521980c0580bf9c94620b740b777b49.exe	92
PID 4184 wrote to memory of 3392	4184	f1fe64569eb3987fd8b828fcd251bd394521980c0580bf9c94620b740b777b49.exe	92
PID 3392 wrote to memory of 1584	3392	cmd.exe	95
PID 3392 wrote to memory of 1584	3392	cmd.exe	95
PID 3392 wrote to memory of 1584	3392	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\f1fe64569eb3987fd8b828fcd251bd394521980c0580bf9c94620b740b777b49.exe
"C:\Users\Admin\AppData\Local\Temp\f1fe64569eb3987fd8b828fcd251bd394521980c0580bf9c94620b740b777b49.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "f1fe64569eb3987fd8b828fcd251bd394521980c0580bf9c94620b740b777b49.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\f1fe64569eb3987fd8b828fcd251bd394521980c0580bf9c94620b740b777b49.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "f1fe64569eb3987fd8b828fcd251bd394521980c0580bf9c94620b740b777b49.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1808
  2⤵
  - Program crash
  PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4184 -ip 4184
1⤵
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4184-1-0x0000000002340000-0x0000000002440000-memory.dmp

Filesize
1024KB

Download
memory/4184-2-0x0000000003EC0000-0x0000000003EFE000-memory.dmp

Filesize
248KB

Download
memory/4184-3-0x0000000000400000-0x00000000022A1000-memory.dmp

Filesize
30.6MB

Download
memory/4184-8-0x0000000000400000-0x00000000022A1000-memory.dmp

Filesize
30.6MB

Download
memory/4184-9-0x0000000003EC0000-0x0000000003EFE000-memory.dmp

Filesize
248KB

Download