8ed3f5bf3801be7c06f916ccd1de077836a8d999443279e972c062e0a3b2cbd1

Analysis

max time kernel
177s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ed3f5bf3801be7c06f916ccd1de077836a8d999443279e972c062e0a3b2cbd1.exe
Size

2.0MB
MD5

3983f67408d22b51478c7abe0c3fcd3d
SHA1

d509f9a256fd4c6291f83a44ba23e64e6afe6cc4
SHA256

8ed3f5bf3801be7c06f916ccd1de077836a8d999443279e972c062e0a3b2cbd1
SHA512

299fc38772b19b15d8825939e91967939d3db34727ee4907a5cb0a6a32068df2f7533bd5b8386089cec19a12bab98c0366342d8b330f55d92927a3289dd2802e
SSDEEP

49152:2WhlHLBfJXAE9V85PWtgSpOGXqKtRQIqy7JycqU/GGndSTW8W:2WhlrBfKEe+WGltM4+aN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	8ed3f5bf3801be7c06f916ccd1de077836a8d999443279e972c062e0a3b2cbd1.exe

Loads dropped DLL 1 IoCs

pid	Process
4008	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 4008	4568	8ed3f5bf3801be7c06f916ccd1de077836a8d999443279e972c062e0a3b2cbd1.exe	89
PID 4568 wrote to memory of 4008	4568	8ed3f5bf3801be7c06f916ccd1de077836a8d999443279e972c062e0a3b2cbd1.exe	89
PID 4568 wrote to memory of 4008	4568	8ed3f5bf3801be7c06f916ccd1de077836a8d999443279e972c062e0a3b2cbd1.exe	89

C:\Users\Admin\AppData\Local\Temp\8ed3f5bf3801be7c06f916ccd1de077836a8d999443279e972c062e0a3b2cbd1.exe
"C:\Users\Admin\AppData\Local\Temp\8ed3f5bf3801be7c06f916ccd1de077836a8d999443279e972c062e0a3b2cbd1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -s .\3CBPPViU.Km -u
  2⤵
  - Loads dropped DLL
  PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3CBPPViU.Km

Filesize
1.4MB

MD5
de8eedbcee43fab20093873975db59b0

SHA1
28efab3f5c316d5da0adacc02e0cf1b0f38f99cd

SHA256
23307bb8f94876c02a9e89ad52a3990a2b2dac2a4c3ddf08b7855bdb186e5358

SHA512
a46f33cb320651a8aeed40d33762cd09e18cb933f15f0947df4431764fdd5e5a433565b15c242793bd6be758bb46b0d6745a2cf5eda6bc92fb05f3d1d2861c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CBPpViU.km

Filesize
1.4MB

MD5
de8eedbcee43fab20093873975db59b0

SHA1
28efab3f5c316d5da0adacc02e0cf1b0f38f99cd

SHA256
23307bb8f94876c02a9e89ad52a3990a2b2dac2a4c3ddf08b7855bdb186e5358

SHA512
a46f33cb320651a8aeed40d33762cd09e18cb933f15f0947df4431764fdd5e5a433565b15c242793bd6be758bb46b0d6745a2cf5eda6bc92fb05f3d1d2861c14

Download Submit
memory/4008-4-0x0000000002970000-0x0000000002976000-memory.dmp

Filesize
24KB

Download
memory/4008-5-0x0000000010000000-0x0000000010171000-memory.dmp

Filesize
1.4MB

Download
memory/4008-7-0x0000000002D50000-0x0000000002E6E000-memory.dmp

Filesize
1.1MB

Download
memory/4008-8-0x0000000002E70000-0x0000000002F72000-memory.dmp

Filesize
1.0MB

Download
memory/4008-11-0x0000000002E70000-0x0000000002F72000-memory.dmp

Filesize
1.0MB

Download
memory/4008-12-0x0000000002E70000-0x0000000002F72000-memory.dmp

Filesize
1.0MB

Download