7fb1d7ad59bdec73c578d461e5b1203dd041a145f44eaaa2c48fc0ae14789a33

Analysis

max time kernel
137s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fb1d7ad59bdec73c578d461e5b1203dd041a145f44eaaa2c48fc0ae14789a33.exe
Size

1.7MB
MD5

cd6452d2f0da2ef84957f7f7fe814f9c
SHA1

8069b29c288bfcbb8e2aef752a4522efa3d2c795
SHA256

7fb1d7ad59bdec73c578d461e5b1203dd041a145f44eaaa2c48fc0ae14789a33
SHA512

0aa416f5749993532c6d18ade3241423859551a9427d62675e3b74753996c76e5546780628bef14dd62c87c94368a1817b3e88af31b6631131e4e0855c9775db
SSDEEP

49152:rLLqCe9pbRCgw44pZuc6/iGEqGf+6yzfqCN29M/:rq9pbRCgw44pxQpGCPc+/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	7fb1d7ad59bdec73c578d461e5b1203dd041a145f44eaaa2c48fc0ae14789a33.exe

Loads dropped DLL 1 IoCs

pid	Process
4168	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 4168	4612	7fb1d7ad59bdec73c578d461e5b1203dd041a145f44eaaa2c48fc0ae14789a33.exe	84
PID 4612 wrote to memory of 4168	4612	7fb1d7ad59bdec73c578d461e5b1203dd041a145f44eaaa2c48fc0ae14789a33.exe	84
PID 4612 wrote to memory of 4168	4612	7fb1d7ad59bdec73c578d461e5b1203dd041a145f44eaaa2c48fc0ae14789a33.exe	84

C:\Users\Admin\AppData\Local\Temp\7fb1d7ad59bdec73c578d461e5b1203dd041a145f44eaaa2c48fc0ae14789a33.exe
"C:\Users\Admin\AppData\Local\Temp\7fb1d7ad59bdec73c578d461e5b1203dd041a145f44eaaa2c48fc0ae14789a33.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /U KR3m._DN /s
  2⤵
  - Loads dropped DLL
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KR3m._DN

Filesize
1.4MB

MD5
d2c5a657a81060d507b20dd6bae59382

SHA1
15dde1855d58f7fd01c92df19782862b02c01672

SHA256
afc64f65fda236385682eba827059ba02fb93bfc4631189e3b19b2d68af5536e

SHA512
4780928765f82adbae9f14f91300c3ab251fba1fe2f66082d392270724002285085ccbd6034e6d32a61f2a593a97a7a3477099cb1e8876163c1da1f1df46c299

Download Submit
C:\Users\Admin\AppData\Local\Temp\kR3m._DN

Filesize
1.4MB

MD5
d2c5a657a81060d507b20dd6bae59382

SHA1
15dde1855d58f7fd01c92df19782862b02c01672

SHA256
afc64f65fda236385682eba827059ba02fb93bfc4631189e3b19b2d68af5536e

SHA512
4780928765f82adbae9f14f91300c3ab251fba1fe2f66082d392270724002285085ccbd6034e6d32a61f2a593a97a7a3477099cb1e8876163c1da1f1df46c299

Download Submit
memory/4168-4-0x0000000000C30000-0x0000000000C36000-memory.dmp

Filesize
24KB

Download
memory/4168-5-0x0000000010000000-0x0000000010166000-memory.dmp

Filesize
1.4MB

Download
memory/4168-7-0x00000000027C0000-0x00000000028D2000-memory.dmp

Filesize
1.1MB

Download
memory/4168-8-0x00000000028E0000-0x00000000029D7000-memory.dmp

Filesize
988KB

Download
memory/4168-11-0x00000000028E0000-0x00000000029D7000-memory.dmp

Filesize
988KB

Download
memory/4168-12-0x00000000028E0000-0x00000000029D7000-memory.dmp

Filesize
988KB

Download