84d4c0a0dc85b3fda3056a23bf3cf007e7d14f7676f26a3251a71ec71df87a2c

Analysis

max time kernel
142s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2023 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0aa17542acdc1e76b4e2b9491b12bb95.exe
Size

2.7MB
MD5

0aa17542acdc1e76b4e2b9491b12bb95
SHA1

7d4a24876e189beaa7aff0e87dfe43309fd8d23f
SHA256

84d4c0a0dc85b3fda3056a23bf3cf007e7d14f7676f26a3251a71ec71df87a2c
SHA512

d4b5c94eb46c22a3e2155f289e04c238dcc6da25e8270f3fb1bf6142a1b1dbf2220431caba613af523ab7e2cfe82d545389548b9f85205e061ecf325234cb8ef
SSDEEP

49152:bFbz2QXIDgdSsB7F21DpbbBR6KNSoYkrnHWVoFhu1XGgXs4bx0lUZc:bFP2QXIMh3oph0K+kLWoFhu1Wg84beUm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	0aa17542acdc1e76b4e2b9491b12bb95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 3444	4744	0aa17542acdc1e76b4e2b9491b12bb95.exe	93
PID 4744 wrote to memory of 3444	4744	0aa17542acdc1e76b4e2b9491b12bb95.exe	93
PID 4744 wrote to memory of 3444	4744	0aa17542acdc1e76b4e2b9491b12bb95.exe	93
PID 3444 wrote to memory of 3468	3444	cmd.exe	97
PID 3444 wrote to memory of 3468	3444	cmd.exe	97
PID 3444 wrote to memory of 3468	3444	cmd.exe	97
PID 3444 wrote to memory of 2700	3444	cmd.exe	98
PID 3444 wrote to memory of 2700	3444	cmd.exe	98
PID 3444 wrote to memory of 2700	3444	cmd.exe	98
PID 3444 wrote to memory of 944	3444	cmd.exe	99
PID 3444 wrote to memory of 944	3444	cmd.exe	99
PID 3444 wrote to memory of 944	3444	cmd.exe	99
PID 3444 wrote to memory of 3540	3444	cmd.exe	100
PID 3444 wrote to memory of 3540	3444	cmd.exe	100
PID 3444 wrote to memory of 3540	3444	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\0aa17542acdc1e76b4e2b9491b12bb95.exe
"C:\Users\Admin\AppData\Local\Temp\0aa17542acdc1e76b4e2b9491b12bb95.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\_ejecutame.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir/b/s c:\tlmp\g0.pf 2>nul
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir/b/s f:\tlmp\g0.pf 2>nul
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir/b/s c:\tlmp\g0.pf 2>nul
    3⤵
    PID:944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir/b/s f:\tlmp\g0.pf 2>nul
    3⤵
    PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\_ejecutame.bat

Filesize
3KB

MD5
003462ada14f46566e014e87e7248b4b

SHA1
0f7e40c57d8d6f1923b828dc8459b464a361e622

SHA256
9be0740333aace4aceb1a6f84c78468affd6889c9d61bd428d34db26e80c8fd5

SHA512
6463a000d2f6f1fe8b609cc1f83b724a5fce4d5016bcd3b79660cf32c37c62c845c2125597c02f95c49fdcefe1d3ca486e0def46efbdbe74c0d88bf1481e72ba

Download Submit