bd1d6a02a8b84b4a6ec252f592cda09d7dd31760ec7e5d6db267d0f961f937af

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd1d6a02a8b84b4a6ec252f592cda09d7dd31760ec7e5d6db267d0f961f937af.exe
Size

38KB
MD5

c961feda259bc2c73a07c7b549658f74
SHA1

0800b4f0b105e96b5c72c50048ad4fe6e80254f8
SHA256

bd1d6a02a8b84b4a6ec252f592cda09d7dd31760ec7e5d6db267d0f961f937af
SHA512

c46b8d6e4abd5df15f64cc5f4caa936f8335372981909bb8bd543621704a3380e16f05fce251107cbfadc5b62907fc019212000fcdeff2e2e8f95baa6f928d4f
SSDEEP

768:E8Cpm91BJWaopCM41v1TbpCxvCAEZDY4m/YL:E8Cpyx1HMTEmvi

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	bd1d6a02a8b84b4a6ec252f592cda09d7dd31760ec7e5d6db267d0f961f937af.exe

Executes dropped EXE 1 IoCs

pid	Process
1660	WeCom_4.1.9.6038.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4716	bd1d6a02a8b84b4a6ec252f592cda09d7dd31760ec7e5d6db267d0f961f937af.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4716	bd1d6a02a8b84b4a6ec252f592cda09d7dd31760ec7e5d6db267d0f961f937af.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 1660	4716	bd1d6a02a8b84b4a6ec252f592cda09d7dd31760ec7e5d6db267d0f961f937af.exe	98
PID 4716 wrote to memory of 1660	4716	bd1d6a02a8b84b4a6ec252f592cda09d7dd31760ec7e5d6db267d0f961f937af.exe	98
PID 4716 wrote to memory of 1660	4716	bd1d6a02a8b84b4a6ec252f592cda09d7dd31760ec7e5d6db267d0f961f937af.exe	98

C:\Users\Admin\AppData\Local\Temp\bd1d6a02a8b84b4a6ec252f592cda09d7dd31760ec7e5d6db267d0f961f937af.exe
"C:\Users\Admin\AppData\Local\Temp\bd1d6a02a8b84b4a6ec252f592cda09d7dd31760ec7e5d6db267d0f961f937af.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Users\Admin\AppData\Local\Temp\WeCom_4.1.9.6038.exe
  "C:\Users\Admin\AppData\Local\Temp\WeCom_4.1.9.6038.exe" /S
  2⤵
  - Executes dropped EXE
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WeCom_4.1.9.6038.exe

Filesize
291.5MB

MD5
207e0693315ee0fe96edde62563f6622

SHA1
e32f6cfc8f068c85b0e8b395700915dde9de874a

SHA256
5ca68f1be458560aace7f466b1aab01ad91b38cb496231ebb65c85e70158c88f

SHA512
1ee304bce5403fc32bfb7602ab2fe647e1273eaa12933fcada50e8107740b4d85eb06d77e4920c4417a663a5bcf20abbbb79f0dac7b9f66c1d97f66ecf8f9251

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeCom_4.1.9.6038.exe

Filesize
218.6MB

MD5
1651a48ff03e91f87b4bd6b166c81fcc

SHA1
7451b8941f39e8bd0fd00bffd89903fda4ca6678

SHA256
183183f872bb4502d9e97d25a42a4e7103fb928230d06d969fa693362149cb06

SHA512
edb1ab9e06992b473236206e5914c75515234b4194225a60b4de0ca07df41615bd57426eca7345eaead4b5deb2636e10ac42476841cdb17ddcbc93090cf9b0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeCom_4.1.9.6038.exe

Filesize
124.8MB

MD5
71fa0a1b3509b867dbf655322cb5fb40

SHA1
72ac37f1a651057ea0f4cdc1ac060d7ad9053ace

SHA256
c995d623eca0b0319f44e6330b81ea9a2291fa995620e76404d63ac778220b2c

SHA512
23a277a999f19c25e96f3b4620838dde430addafe4f4f10fabf6049ca66d8b4284de9fb8a31f6df3ae50b876fde433a76741bfca656d3795667d9b6d659de69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kgllao2a.cyk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4716-0-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/4716-6-0x00007FFA34D80000-0x00007FFA35841000-memory.dmp

Filesize
10.8MB

Download
memory/4716-11-0x000000001AC80000-0x000000001AC90000-memory.dmp

Filesize
64KB

Download
memory/4716-12-0x000000001AC90000-0x000000001ACB2000-memory.dmp

Filesize
136KB

Download
memory/4716-13-0x00007FFA34D80000-0x00007FFA35841000-memory.dmp

Filesize
10.8MB

Download
memory/4716-14-0x000000001AC80000-0x000000001AC90000-memory.dmp

Filesize
64KB

Download
memory/4716-16-0x000000001AC80000-0x000000001AC90000-memory.dmp

Filesize
64KB

Download
memory/4716-28-0x00007FFA34D80000-0x00007FFA35841000-memory.dmp

Filesize
10.8MB

Download