245cb018b0ee380603fdd829e2cbecffe648095cb024771b7c815ca05b5e8fe8

Analysis

max time kernel
86s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e02ae5c72b90b1f97f9dbf31b3308050_exe32.exe
Size

24KB
MD5

e02ae5c72b90b1f97f9dbf31b3308050
SHA1

3f2624c21140ac066c02a3f3a4b8f54aa7af78ea
SHA256

245cb018b0ee380603fdd829e2cbecffe648095cb024771b7c815ca05b5e8fe8
SHA512

860a2c5978ebff692a8b09464f48e8e527b21e03a883377d3116dd519de3a0b99ebc7bb7181f19f5c723fa8d4050cbcc189c289426aba1ca4e85a40d993712b9
SSDEEP

384:mQ1ShPOBkreZVX76WZ8Q15S6RNio4G9sLDkkg:mKUGBAgVr38qxRT4E82

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	e02ae5c72b90b1f97f9dbf31b3308050_exe32.exe

Executes dropped EXE 1 IoCs

pid	Process
4812	htchecks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 4812	396	e02ae5c72b90b1f97f9dbf31b3308050_exe32.exe	84
PID 396 wrote to memory of 4812	396	e02ae5c72b90b1f97f9dbf31b3308050_exe32.exe	84
PID 396 wrote to memory of 4812	396	e02ae5c72b90b1f97f9dbf31b3308050_exe32.exe	84

C:\Users\Admin\AppData\Local\Temp\e02ae5c72b90b1f97f9dbf31b3308050_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\e02ae5c72b90b1f97f9dbf31b3308050_exe32.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Local\Temp\htchecks.exe
  "C:\Users\Admin\AppData\Local\Temp\htchecks.exe"
  2⤵
  - Executes dropped EXE
  PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\htchecks.exe

Filesize
24KB

MD5
72855247a90d17371bd5c61550b05df8

SHA1
d1f8c77fc1f312c4de6634f1c69d609e6ef36f5b

SHA256
7546285bd5dc22cecd23b895d18ebe888c2b85f5bb08bcf0c267197a8ecbb6ca

SHA512
ee9ece26bc9f230d08d36a85f7ae28e3cf7d250095a2ad64fa36e83f9d5649e58c8848a29094abe35f80451340f579fba8d2bf84fa9d97a711dd2eab5fb43c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\htchecks.exe

Filesize
24KB

MD5
72855247a90d17371bd5c61550b05df8

SHA1
d1f8c77fc1f312c4de6634f1c69d609e6ef36f5b

SHA256
7546285bd5dc22cecd23b895d18ebe888c2b85f5bb08bcf0c267197a8ecbb6ca

SHA512
ee9ece26bc9f230d08d36a85f7ae28e3cf7d250095a2ad64fa36e83f9d5649e58c8848a29094abe35f80451340f579fba8d2bf84fa9d97a711dd2eab5fb43c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\htchecks.exe

Filesize
24KB

MD5
72855247a90d17371bd5c61550b05df8

SHA1
d1f8c77fc1f312c4de6634f1c69d609e6ef36f5b

SHA256
7546285bd5dc22cecd23b895d18ebe888c2b85f5bb08bcf0c267197a8ecbb6ca

SHA512
ee9ece26bc9f230d08d36a85f7ae28e3cf7d250095a2ad64fa36e83f9d5649e58c8848a29094abe35f80451340f579fba8d2bf84fa9d97a711dd2eab5fb43c69

Download Submit
memory/396-0-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/396-1-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/396-2-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/4812-21-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download