dc268ae03e800daab58a54ac0302cb04250c6294541c445d3f8b6d3c9fe1f1cf

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f624ac67ace602bd64c79d820506ddac165a59af2ae46448b2c18ac43aa67a27.exe
Size

492KB
MD5

55bd116231202bc83059688a7a7132d9
SHA1

35cf4f8eb780a45ac4fa250d96c32b52ed01747a
SHA256

f624ac67ace602bd64c79d820506ddac165a59af2ae46448b2c18ac43aa67a27
SHA512

822af8704acd27fa8087007fd8f9445eccdfe2494d0e850e62eb3c61676be97343205d6432c090b27c0fa72b9615f5bd1eca77536c1829faa28bd337a9b4c15a
SSDEEP

6144:1ldk1cWQRNTBS9nsGP1CkdJwVKXglJKwkeP4CwHoILYP9uoqNk0vZhr7aSKrmK7H:1cv0NTY1/JfgWwkhLYB302vmK7uA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	f624ac67ace602bd64c79d820506ddac165a59af2ae46448b2c18ac43aa67a27.exe

Executes dropped EXE 1 IoCs

pid	Process
3400	qfq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 2464	4388	f624ac67ace602bd64c79d820506ddac165a59af2ae46448b2c18ac43aa67a27.exe	88
PID 4388 wrote to memory of 2464	4388	f624ac67ace602bd64c79d820506ddac165a59af2ae46448b2c18ac43aa67a27.exe	88
PID 2464 wrote to memory of 3400	2464	cmd.exe	92
PID 2464 wrote to memory of 3400	2464	cmd.exe	92
PID 2464 wrote to memory of 3400	2464	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\f624ac67ace602bd64c79d820506ddac165a59af2ae46448b2c18ac43aa67a27.exe
"C:\Users\Admin\AppData\Local\Temp\f624ac67ace602bd64c79d820506ddac165a59af2ae46448b2c18ac43aa67a27.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6C47.tmp\6C48.tmp\6C49.bat C:\Users\Admin\AppData\Local\Temp\f624ac67ace602bd64c79d820506ddac165a59af2ae46448b2c18ac43aa67a27.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\6C47.tmp\qfq.exe
    qfq.exe
    3⤵
    - Executes dropped EXE
    PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6C47.tmp\6C48.tmp\6C49.bat

Filesize
35B

MD5
8cac559f68a521020843a795687b732b

SHA1
a8b0ed616efb91bcf9f0603e5b089faf6cb62630

SHA256
76f581237a11ff38f1c8bba3d6acae0145260a8e1c26575bedf139624677805d

SHA512
e2f4c2650674f8029661903f8af0b11c7dc68ac68da2f503079f7706e29f4c7b5b8e852a3bf2523ad1f8b2b037f54b9ad94bf6a3be0902e15808bbc83122033f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C47.tmp\qfq.exe

Filesize
386KB

MD5
c279aaa5b53eaacb97a408f07e5b72ff

SHA1
8c832fc2224c77dd86a66402a325df3cf9f873db

SHA256
bff5fd3a32a905fd569d997fdf864540b0182524f13799387b5f9cb1dcb227d0

SHA512
32f8490a2c666bb42cb9348efcfd735c7d55fd7c7f5bcf484b4b8aab205ca67bdb00163fe899ade43647a8939ba524e7a85e2175f05c3315552147d5c0a98eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C47.tmp\qfq.exe

Filesize
386KB

MD5
c279aaa5b53eaacb97a408f07e5b72ff

SHA1
8c832fc2224c77dd86a66402a325df3cf9f873db

SHA256
bff5fd3a32a905fd569d997fdf864540b0182524f13799387b5f9cb1dcb227d0

SHA512
32f8490a2c666bb42cb9348efcfd735c7d55fd7c7f5bcf484b4b8aab205ca67bdb00163fe899ade43647a8939ba524e7a85e2175f05c3315552147d5c0a98eb8

Download Submit
memory/3400-14-0x0000000005970000-0x0000000005F14000-memory.dmp

Filesize
5.6MB

Download
memory/3400-12-0x00000000008B0000-0x0000000000918000-memory.dmp

Filesize
416KB

Download
memory/3400-13-0x0000000005320000-0x00000000053BC000-memory.dmp

Filesize
624KB

Download
memory/3400-11-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/3400-15-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/3400-16-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/3400-17-0x0000000005550000-0x000000000555A000-memory.dmp

Filesize
40KB

Download
memory/3400-18-0x0000000005610000-0x0000000005666000-memory.dmp

Filesize
344KB

Download
memory/3400-19-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/3400-20-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download