7a2937e8f401fe27177e893e10625a8d31f4d5441a2360d1f04d76b1a39525c7

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42755.exe
Size

539B
MD5

33f4b08d12e4efc081687adb5e2dbaa2
SHA1

b403850eadc845ae977933b8eb3b2d167533996a
SHA256

7a2937e8f401fe27177e893e10625a8d31f4d5441a2360d1f04d76b1a39525c7
SHA512

41a1d007cb654eb66cc6a2801446c61ca749101c40cea2c723d7843c5aae0474d84e36ddadbbf203881dd0261720ccf644f5ab6085a40fb2536d302880119b6a

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	42755.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	42755.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4264	2704	42755.exe	86
PID 2704 wrote to memory of 4264	2704	42755.exe	86
PID 2704 wrote to memory of 4264	2704	42755.exe	86

C:\Users\Admin\AppData\Local\Temp\42755.exe
"C:\Users\Admin\AppData\Local\Temp\42755.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Test.bat"
  2⤵
  PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Test.bat

Filesize
217KB

MD5
29bffc2127e3f6b471a4c9739c9e0292

SHA1
164fee9fdca6cbbf894a36dec79b61bda1538466

SHA256
9324cd32578a768f80de03a94a230140069740f82c605d09f4acf375aa63729b

SHA512
d629102328625c786d703b286f56f80733cc2788ca555e57216411b4c323e8dd8e0c1c420b6e862586294942fdf6bd355dd0d8ee12ce6118a9a2f5223836af39

Download Submit