e1586fe2368208c3678604b743fa3d81f10ecb8476ea454d419158e91e09628d

Analysis

max time kernel
149s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1586fe2368208c3678604b743fa3d81f10ecb8476ea454d419158e91e09628d.exe
Size

2.1MB
MD5

fb9d9bba776e66717c69acdfe12b5b06
SHA1

45d01b6b0dea4e5a07f022180f541d1a97313a40
SHA256

e1586fe2368208c3678604b743fa3d81f10ecb8476ea454d419158e91e09628d
SHA512

b8e09fba031e83ec584e4f9e52b08897728a952fc322ad12c3a53c8b3d36821a31d9f322fc970bcad3cde73623a72e0882ec899f37edc83d1d6da31f6846e659
SSDEEP

24576:BubsnafAPyjJ43/G6z8IqqqZa04IS56zrYJqrnWpe6S8L/M:FIYGK8IqqqZa04IKiryqr16V4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	e1586fe2368208c3678604b743fa3d81f10ecb8476ea454d419158e91e09628d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	mediacreationtool.exe

Executes dropped EXE 2 IoCs

pid	Process
4596	mediacreationtool.exe
4936	idk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4596	5100	e1586fe2368208c3678604b743fa3d81f10ecb8476ea454d419158e91e09628d.exe	88
PID 5100 wrote to memory of 4596	5100	e1586fe2368208c3678604b743fa3d81f10ecb8476ea454d419158e91e09628d.exe	88
PID 5100 wrote to memory of 4596	5100	e1586fe2368208c3678604b743fa3d81f10ecb8476ea454d419158e91e09628d.exe	88
PID 4596 wrote to memory of 4936	4596	mediacreationtool.exe	91
PID 4596 wrote to memory of 4936	4596	mediacreationtool.exe	91

C:\Users\Admin\AppData\Local\Temp\e1586fe2368208c3678604b743fa3d81f10ecb8476ea454d419158e91e09628d.exe
"C:\Users\Admin\AppData\Local\Temp\e1586fe2368208c3678604b743fa3d81f10ecb8476ea454d419158e91e09628d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\mediacreationtool.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mediacreationtool.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\idk.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\idk.exe"
    3⤵
    - Executes dropped EXE
    PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mediacreationtool.exe

Filesize
1.7MB

MD5
7feb7375eb65d1781c79e57027cf04f0

SHA1
8ac3b4ebd77572c28dd07f6abc74b2b93d8e8296

SHA256
ed0b9fde2d70c423f210c2e8010b785f537ad0a5b5efd030e777440ffecd25c5

SHA512
15339a91b39a286ca7c4ae43d4465bf1e0ea1a4b9f7751f1da712b19558ab281c4d322fedf2246e17c6953a7f01aebdf72a955a5a800e155146645927d0c5dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mediacreationtool.exe

Filesize
1.7MB

MD5
7feb7375eb65d1781c79e57027cf04f0

SHA1
8ac3b4ebd77572c28dd07f6abc74b2b93d8e8296

SHA256
ed0b9fde2d70c423f210c2e8010b785f537ad0a5b5efd030e777440ffecd25c5

SHA512
15339a91b39a286ca7c4ae43d4465bf1e0ea1a4b9f7751f1da712b19558ab281c4d322fedf2246e17c6953a7f01aebdf72a955a5a800e155146645927d0c5dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mediacreationtool.exe

Filesize
1.7MB

MD5
7feb7375eb65d1781c79e57027cf04f0

SHA1
8ac3b4ebd77572c28dd07f6abc74b2b93d8e8296

SHA256
ed0b9fde2d70c423f210c2e8010b785f537ad0a5b5efd030e777440ffecd25c5

SHA512
15339a91b39a286ca7c4ae43d4465bf1e0ea1a4b9f7751f1da712b19558ab281c4d322fedf2246e17c6953a7f01aebdf72a955a5a800e155146645927d0c5dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\idk.exe

Filesize
146KB

MD5
e0b03527ec115201908601075e0235e5

SHA1
7cf9ca04d515136e226d0c3e8cca5ec249d44f63

SHA256
57cd219b74d935c560e7248ba16b3d3abe05d637b2bc318a55d30808b227d2fa

SHA512
92faf7a8e52fe8234b9a97b0be1945c36a8e79f0d6cd5df4f6673519aa701ea778057367300df7724bdbb35b729cd0adb5651d26bed67be043c22d0284056c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\idk.exe

Filesize
146KB

MD5
e0b03527ec115201908601075e0235e5

SHA1
7cf9ca04d515136e226d0c3e8cca5ec249d44f63

SHA256
57cd219b74d935c560e7248ba16b3d3abe05d637b2bc318a55d30808b227d2fa

SHA512
92faf7a8e52fe8234b9a97b0be1945c36a8e79f0d6cd5df4f6673519aa701ea778057367300df7724bdbb35b729cd0adb5651d26bed67be043c22d0284056c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\idk.exe

Filesize
146KB

MD5
e0b03527ec115201908601075e0235e5

SHA1
7cf9ca04d515136e226d0c3e8cca5ec249d44f63

SHA256
57cd219b74d935c560e7248ba16b3d3abe05d637b2bc318a55d30808b227d2fa

SHA512
92faf7a8e52fe8234b9a97b0be1945c36a8e79f0d6cd5df4f6673519aa701ea778057367300df7724bdbb35b729cd0adb5651d26bed67be043c22d0284056c6e

Download Submit