b920dee7cda2e0d69b5ffef96ac33929106b4f5679be3bb20f570537e41c525d

Analysis

max time kernel
3s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdb9f4d1d38faf4f665394fb9be769d0_exe32.exe
Size

56KB
MD5

cdb9f4d1d38faf4f665394fb9be769d0
SHA1

6b5db5b73f1ca0ecd13d19ec2721ce2143a4b61e
SHA256

b920dee7cda2e0d69b5ffef96ac33929106b4f5679be3bb20f570537e41c525d
SHA512

36535a9869fdae35bf5fbf469f690f4f98ea5ce8c349820d867e08dbb6a464f51b487e060677295e489ae3fceebd5fcda299075961b83c07f8d95d8b99478609
SSDEEP

768:EFLDi1w5BMY14AljeNnupoI1MvOftQdXKuctuIOceAFHR6FNh3XQ:El2KiYFjWnupoI1wOFIKluIOoRP

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cdb9f4d1d38faf4f665394fb9be769d0_exe32.exe

Executes dropped EXE 1 IoCs

pid	Process
1644	photos.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3768-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/files/0x000800000002320a-7.dat	upx
behavioral2/files/0x000800000002320a-9.dat	upx
behavioral2/files/0x000800000002320a-10.dat	upx
behavioral2/memory/3768-12-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/1644-28-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 1644	3768	cdb9f4d1d38faf4f665394fb9be769d0_exe32.exe	82
PID 3768 wrote to memory of 1644	3768	cdb9f4d1d38faf4f665394fb9be769d0_exe32.exe	82
PID 3768 wrote to memory of 1644	3768	cdb9f4d1d38faf4f665394fb9be769d0_exe32.exe	82

C:\Users\Admin\AppData\Local\Temp\cdb9f4d1d38faf4f665394fb9be769d0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\cdb9f4d1d38faf4f665394fb9be769d0_exe32.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Users\Admin\AppData\Local\Temp\photos.exe
  "C:\Users\Admin\AppData\Local\Temp\photos.exe"
  2⤵
  - Executes dropped EXE
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\photos.exe

Filesize
57KB

MD5
e3282269563da97b755589b071aaec95

SHA1
49ef76567847e4ec62d5d35f27c01aa07bd21de8

SHA256
4f5dce2ee8488e24fdbcd40ebc23590b2f72fd27c8f9afb61cb723aa1d3708f7

SHA512
bae19bf1ed55616a6d589687daad999e5c12ac0668397ad7f88633999c7434c2d2165861b4f0943dcb0d53aed5b5c1deb0ea254b599d8f3a0f8d003a6ab64437

Download Submit
C:\Users\Admin\AppData\Local\Temp\photos.exe

Filesize
57KB

MD5
e3282269563da97b755589b071aaec95

SHA1
49ef76567847e4ec62d5d35f27c01aa07bd21de8

SHA256
4f5dce2ee8488e24fdbcd40ebc23590b2f72fd27c8f9afb61cb723aa1d3708f7

SHA512
bae19bf1ed55616a6d589687daad999e5c12ac0668397ad7f88633999c7434c2d2165861b4f0943dcb0d53aed5b5c1deb0ea254b599d8f3a0f8d003a6ab64437

Download Submit
C:\Users\Admin\AppData\Local\Temp\photos.exe

Filesize
57KB

MD5
e3282269563da97b755589b071aaec95

SHA1
49ef76567847e4ec62d5d35f27c01aa07bd21de8

SHA256
4f5dce2ee8488e24fdbcd40ebc23590b2f72fd27c8f9afb61cb723aa1d3708f7

SHA512
bae19bf1ed55616a6d589687daad999e5c12ac0668397ad7f88633999c7434c2d2165861b4f0943dcb0d53aed5b5c1deb0ea254b599d8f3a0f8d003a6ab64437

Download Submit
memory/1644-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3768-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3768-1-0x0000000004000000-0x0000000004006000-memory.dmp

Filesize
24KB

Download
memory/3768-2-0x0000000004000000-0x0000000004006000-memory.dmp

Filesize
24KB

Download
memory/3768-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download