fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e

Analysis

max time kernel
127s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
Size

508KB
MD5

38d29433e944ba129fa1457c564ddfaf
SHA1

77b33b7ad847ea6d1405c7909a2ce7bcba132f3d
SHA256

fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e
SHA512

08312449987c0fa3f5ac68fc0779763f6bc8932a5037d572d440a935ef037eddd8027000c41c2153fb146a4e5241b32e1bc44a80e3792a005023388d2529bf4b
SSDEEP

6144:vW0J07EHxsWKKCbrZXDbI33z5P/kjguInr39tAOLPvI1ILz:O4CWKKCrZTGF/k8uMxtxPvvz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tkjsidfsd	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 4520	2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe	104
PID 2440 wrote to memory of 4520	2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe	104
PID 2440 wrote to memory of 4520	2440	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe	104

C:\Users\Admin\AppData\Local\Temp\fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
"C:\Users\Admin\AppData\Local\Temp\fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe"
  2⤵
  PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tkjsidfsd

Filesize
97B

MD5
87d5d9cd1d53739f1ccf032942de50fc

SHA1
58f87e5aef081650edc6414bf6d2286f3b275e17

SHA256
56bda9270b97809718abff70ca4d9d1880f3051ff3af4e9a5851fb3547f320b3

SHA512
396c6d52dca9623a8e5bdf34df67feda6e06389d56fe61ccb5d87d48f699dad2f83c532e2bafe0a8a2ed8ac426fece838f8745fcfcb4e09011bbe8b4bface00d

Download Submit
C:\Windows\tkjsidfsd

Filesize
48B

MD5
d9cd1f291b99fb29ec3ad5e8e5ecb23b

SHA1
7ffbe6aa92ad98577727aa4bfaa1920dfd3dbf69

SHA256
9fe16bc85a08740f43e975c1a64424ecba39d2f69df1dd570cb97bdba79c97c2

SHA512
ed21f4e5671bfd5b2a6c0d1319ad308ec6c1521b143fd6c576e9cb0aae2325ed2d5a0f92a7504523c274fab94e9eaa5b2549e71582d204894f26b5d7107fd5bb

Download Submit
C:\Windows\tkjsidfsd

Filesize
97B

MD5
87d5d9cd1d53739f1ccf032942de50fc

SHA1
58f87e5aef081650edc6414bf6d2286f3b275e17

SHA256
56bda9270b97809718abff70ca4d9d1880f3051ff3af4e9a5851fb3547f320b3

SHA512
396c6d52dca9623a8e5bdf34df67feda6e06389d56fe61ccb5d87d48f699dad2f83c532e2bafe0a8a2ed8ac426fece838f8745fcfcb4e09011bbe8b4bface00d

Download Submit
C:\Windows\tkjsidfsd

Filesize
121B

MD5
467e88f8f68a301d30ff67c8e4b97a59

SHA1
1e8b2ed9e1f0464fd953fc415b9e8f874a22a277

SHA256
dfe3e10036e89d18a8acd8d627b73150e7c0c2b517ff229ccecb13be82d596a0

SHA512
e248cb6acbf10920a3f8c84dc2c84b685b1df2177c02076c8949d03e590cc91241bbabaedc066660fce98075d6099545c5f7d747fbe119f6000359a0daf8be04

Download Submit