34de83833d113611caaa8b872bd643a30c1ad3e893b4bbcc4a5bec5ce9e7734a

Analysis

max time kernel
9s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2023, 10:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

34de83833d113611caaa8b872bd643a30c1ad3e893b4bbcc4a5bec5ce9e7734a.exe
Size

363KB
MD5

56bdfddf9756ac62d86bac3974224380
SHA1

81e20c225038a691816bc6e2239d3a68fc90ecdb
SHA256

34de83833d113611caaa8b872bd643a30c1ad3e893b4bbcc4a5bec5ce9e7734a
SHA512

c7a813a5c6a754b66afb991e81327f022cc27f969001ec0ddd4c1ee4309cba741a6dc287312c79e98f368fbf1bf1fd9bc747d71e70a2320b8232603f769d368b
SSDEEP

6144:pkYnm9VlSI5GvGASVJh6IFQodMJQpe/o:Bm9VIiGuASVJh6IFL

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	34de83833d113611caaa8b872bd643a30c1ad3e893b4bbcc4a5bec5ce9e7734a.exe

Executes dropped EXE 1 IoCs

pid	Process
2504	9262645787.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2676	2964	34de83833d113611caaa8b872bd643a30c1ad3e893b4bbcc4a5bec5ce9e7734a.exe	96
PID 2964 wrote to memory of 2676	2964	34de83833d113611caaa8b872bd643a30c1ad3e893b4bbcc4a5bec5ce9e7734a.exe	96
PID 2964 wrote to memory of 2676	2964	34de83833d113611caaa8b872bd643a30c1ad3e893b4bbcc4a5bec5ce9e7734a.exe	96
PID 2676 wrote to memory of 2504	2676	cmd.exe	98
PID 2676 wrote to memory of 2504	2676	cmd.exe	98
PID 2676 wrote to memory of 2504	2676	cmd.exe	98
PID 2964 wrote to memory of 4972	2964	34de83833d113611caaa8b872bd643a30c1ad3e893b4bbcc4a5bec5ce9e7734a.exe	99
PID 2964 wrote to memory of 4972	2964	34de83833d113611caaa8b872bd643a30c1ad3e893b4bbcc4a5bec5ce9e7734a.exe	99
PID 2964 wrote to memory of 4972	2964	34de83833d113611caaa8b872bd643a30c1ad3e893b4bbcc4a5bec5ce9e7734a.exe	99

C:\Users\Admin\AppData\Local\Temp\34de83833d113611caaa8b872bd643a30c1ad3e893b4bbcc4a5bec5ce9e7734a.exe
"C:\Users\Admin\AppData\Local\Temp\34de83833d113611caaa8b872bd643a30c1ad3e893b4bbcc4a5bec5ce9e7734a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\9262645787.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\9262645787.exe
    "C:\Users\Admin\AppData\Local\Temp\9262645787.exe"
    3⤵
    - Executes dropped EXE
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\6036777280.exe"
  2⤵
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\6036777280.exe
    "C:\Users\Admin\AppData\Local\Temp\6036777280.exe"
    3⤵
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6036777280.exe

Filesize
243KB

MD5
8c70a0939fc6c14a23b69cbb81a2c0cf

SHA1
bc6f17b4bb478800abe9f9e97ded138cefa79e83

SHA256
7bee27d079d83f067c4ae534a281959788b85ca8fc6db7ea10c31db2ffcadaff

SHA512
5e217686f25fb670b762b222289f1338587b1548f56a934ebdc0ad4ee9219ca2b496cf5b134d23492aace091ce7e97d86bd09614dd5db5e09550f8dfdc3bb5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6036777280.exe

Filesize
243KB

MD5
8c70a0939fc6c14a23b69cbb81a2c0cf

SHA1
bc6f17b4bb478800abe9f9e97ded138cefa79e83

SHA256
7bee27d079d83f067c4ae534a281959788b85ca8fc6db7ea10c31db2ffcadaff

SHA512
5e217686f25fb670b762b222289f1338587b1548f56a934ebdc0ad4ee9219ca2b496cf5b134d23492aace091ce7e97d86bd09614dd5db5e09550f8dfdc3bb5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9262645787.exe

Filesize
3.5MB

MD5
62dbbf519f3e5a050badfb02cab4652c

SHA1
ab296e6388abea10bf2dfb13007eea8807c30714

SHA256
5180793f854fe1852fc1a58a01fa50528c7689a9e24f0cb84419e862eca02ed4

SHA512
e9fee3a72f4c3ab23ba209eab71a6b8ba840f5cbe4ad6bb7b82632a7a793042948c49339fc116b37a9441a18dfd33748988dbd5e7fdc7dc23bb2de04d1d05653

Download Submit
C:\Users\Admin\AppData\Local\Temp\9262645787.exe

Filesize
3.5MB

MD5
62dbbf519f3e5a050badfb02cab4652c

SHA1
ab296e6388abea10bf2dfb13007eea8807c30714

SHA256
5180793f854fe1852fc1a58a01fa50528c7689a9e24f0cb84419e862eca02ed4

SHA512
e9fee3a72f4c3ab23ba209eab71a6b8ba840f5cbe4ad6bb7b82632a7a793042948c49339fc116b37a9441a18dfd33748988dbd5e7fdc7dc23bb2de04d1d05653

Download Submit
memory/2504-19-0x0000000000E70000-0x00000000011FE000-memory.dmp

Filesize
3.6MB

Download
memory/2504-20-0x0000000072EE0000-0x0000000073690000-memory.dmp

Filesize
7.7MB

Download
memory/2964-1-0x00000000025B0000-0x00000000026B0000-memory.dmp

Filesize
1024KB

Download
memory/2964-2-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/2964-3-0x0000000000400000-0x00000000022A1000-memory.dmp

Filesize
30.6MB

Download
memory/2964-14-0x00000000025B0000-0x00000000026B0000-memory.dmp

Filesize
1024KB

Download