3a60b4231d79734747159dee3fa46fc46fddeaad4bc43d2673ba2af18050845f

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b304933477e99ea3f4cc590444ba6ca8.exe
Size

3.4MB
MD5

b304933477e99ea3f4cc590444ba6ca8
SHA1

7753ea9c326948dfb36a388875786cdae4d69da4
SHA256

3a60b4231d79734747159dee3fa46fc46fddeaad4bc43d2673ba2af18050845f
SHA512

63dbc484b082cba289bac9ee987826e45949b0dea618a97d0206088aa7a861b6f1cbf9ac3436b58dd9c352fbf497c4953fb9c7b9b565c09f1520c861560b560c
SSDEEP

98304:1/hkoj2oUU1W15I9Q/U/MQjuy8hTc1uG1uiC:1/PVs5IwVYUc1Wi

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
34	5084	cmd.exe
35	5084	cmd.exe
43	5084	cmd.exe
44	5084	cmd.exe
64	5084	cmd.exe
65	5084	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	b304933477e99ea3f4cc590444ba6ca8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	vHqlG02yYpHW8rS.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vHqlG02yYpHW8rS.exe	b304933477e99ea3f4cc590444ba6ca8.exe

Executes dropped EXE 2 IoCs

pid	Process
2000	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
1412	vHqlG02yYpHW8rS.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe
5084	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 3168	3972	b304933477e99ea3f4cc590444ba6ca8.exe	88
PID 3972 wrote to memory of 3168	3972	b304933477e99ea3f4cc590444ba6ca8.exe	88
PID 3972 wrote to memory of 3168	3972	b304933477e99ea3f4cc590444ba6ca8.exe	88
PID 3168 wrote to memory of 2000	3168	b304933477e99ea3f4cc590444ba6ca8.exe	94
PID 3168 wrote to memory of 2000	3168	b304933477e99ea3f4cc590444ba6ca8.exe	94
PID 3168 wrote to memory of 2000	3168	b304933477e99ea3f4cc590444ba6ca8.exe	94
PID 2000 wrote to memory of 1412	2000	vHqlG02yYpHW8rS.exe	95
PID 2000 wrote to memory of 1412	2000	vHqlG02yYpHW8rS.exe	95
PID 2000 wrote to memory of 1412	2000	vHqlG02yYpHW8rS.exe	95
PID 1412 wrote to memory of 5084	1412	vHqlG02yYpHW8rS.exe	96
PID 1412 wrote to memory of 5084	1412	vHqlG02yYpHW8rS.exe	96
PID 1412 wrote to memory of 5084	1412	vHqlG02yYpHW8rS.exe	96
PID 1412 wrote to memory of 5084	1412	vHqlG02yYpHW8rS.exe	96
PID 1412 wrote to memory of 5084	1412	vHqlG02yYpHW8rS.exe	96

C:\Users\Admin\AppData\Local\Temp\b304933477e99ea3f4cc590444ba6ca8.exe
"C:\Users\Admin\AppData\Local\Temp\b304933477e99ea3f4cc590444ba6ca8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Local\Temp\b304933477e99ea3f4cc590444ba6ca8.exe
  "C:\Users\Admin\AppData\Local\Temp\b304933477e99ea3f4cc590444ba6ca8.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vHqlG02yYpHW8rS.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vHqlG02yYpHW8rS.exe" "C:\Users\Admin\AppData\Local\Temp\b304933477e99ea3f4cc590444ba6ca8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vHqlG02yYpHW8rS.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vHqlG02yYpHW8rS.exe" "C:\Users\Admin\AppData\Local\Temp\b304933477e99ea3f4cc590444ba6ca8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vHqlG02yYpHW8rS.exe

Filesize
1.1MB

MD5
cf04b352df81c0cc3ec1e0fc14975e42

SHA1
738219bea86c8d23b6e8ab1086778b19e5197510

SHA256
882037fd9a19fe8c869c67343712fe991d90ad6020b4e5298bb4f7a84f4f5107

SHA512
5ba1a4d7e5cd6da1e9c62d4afb5c37eed483e3a24a9e749c0906605e77233c75dea9e98821ea5f25e54d621344d8660f6a4624b206c990d9fad63479fc892c00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vHqlG02yYpHW8rS.exe

Filesize
1.2MB

MD5
f4b717950ad7e5635f3f30a21d9dae5d

SHA1
f198ea3a5c97ca6d86607a8c7ccd986e187ae208

SHA256
b898a214609ec970d95ec21107f3f6e54921cb414c937a610663b94f0b9cfd45

SHA512
456ee9c2425c84afd8a2037254f4e9f65162cf2bcd3dbd00da71c6ab177b8f7bf01993494b0d6bf65a1970a605d7c587cbf2ca7d7439e30661a149e07dc26341

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vHqlG02yYpHW8rS.exe

Filesize
3.4MB

MD5
aa5f263049a183e2fcfdee6b1b0fd8c8

SHA1
35704a5d1fa716eb5912b68dc31a7ea5a51ebd99

SHA256
b6c37bbd370142adeebeec2a3e0c7797b460048252430f33716788730eeda014

SHA512
4b781bd1d3a04c994a1f3102ac5b2edeba88e6d937021c6d5ec20273bdd4b3a5ada36edaffcff3b69a3b440aa84aa19c6de5d746055c9f8fc5ca2c8dc8ab6495

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vHqlG02yYpHW8rS.exe

Filesize
1.5MB

MD5
226e13b8a7d59b0d14c248bfb79afea9

SHA1
72e0772acdd2e8b029ac9971e2787179e4cd5ad8

SHA256
18095ac657b5871f58a9732e09642a0c9be07e6ee9e63d1dfffe8b648d65266b

SHA512
a03a1a33c94522be7e3889498cde9e5f2accbd1517fcf177149d7edaf7ee4f87fc91ae9296237e4007611d0eb294f83aec5f1b1a3a7aa5f426ddde9a54f9866c

Download Submit
memory/1412-20-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1412-19-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/1412-25-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/1412-24-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1412-23-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/1412-21-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/1412-28-0x0000000002A90000-0x0000000002B2E000-memory.dmp

Filesize
632KB

Download
memory/1412-16-0x0000000002A90000-0x0000000002B2E000-memory.dmp

Filesize
632KB

Download
memory/1412-17-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/1412-18-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/2000-22-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2000-12-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3168-1-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3168-2-0x00000000029D0000-0x0000000002A6E000-memory.dmp

Filesize
632KB

Download
memory/3168-14-0x00000000029D0000-0x0000000002A6E000-memory.dmp

Filesize
632KB

Download
memory/3168-11-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3972-15-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3972-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/5084-31-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/5084-42-0x00000000021B0000-0x000000000224E000-memory.dmp

Filesize
632KB

Download
memory/5084-26-0x0000000001DE0000-0x0000000001E79000-memory.dmp

Filesize
612KB

Download
memory/5084-32-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/5084-34-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/5084-33-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/5084-35-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/5084-36-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/5084-37-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/5084-38-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/5084-39-0x00000000021B0000-0x000000000224E000-memory.dmp

Filesize
632KB

Download
memory/5084-40-0x00000000021B0000-0x000000000224E000-memory.dmp

Filesize
632KB

Download
memory/5084-41-0x0000000006800000-0x0000000006849000-memory.dmp

Filesize
292KB

Download
memory/5084-29-0x00000000021B0000-0x000000000224E000-memory.dmp

Filesize
632KB

Download
memory/5084-43-0x00000000067D0000-0x00000000067F1000-memory.dmp

Filesize
132KB

Download
memory/5084-44-0x0000000008BE0000-0x0000000008C5E000-memory.dmp

Filesize
504KB

Download
memory/5084-46-0x0000000008CC0000-0x0000000008D7D000-memory.dmp

Filesize
756KB

Download
memory/5084-45-0x0000000008E80000-0x0000000008F6A000-memory.dmp

Filesize
936KB

Download
memory/5084-47-0x0000000009790000-0x000000000999B000-memory.dmp

Filesize
2.0MB

Download
memory/5084-48-0x00000000021B0000-0x000000000224E000-memory.dmp

Filesize
632KB

Download
memory/5084-50-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/5084-49-0x0000000009510000-0x00000000095B7000-memory.dmp

Filesize
668KB

Download
memory/5084-51-0x0000000008F70000-0x0000000009304000-memory.dmp

Filesize
3.6MB

Download
memory/5084-52-0x0000000008CC0000-0x0000000008D7D000-memory.dmp

Filesize
756KB

Download
memory/5084-53-0x0000000009790000-0x000000000999B000-memory.dmp

Filesize
2.0MB

Download
memory/5084-54-0x0000000009510000-0x00000000095B7000-memory.dmp

Filesize
668KB

Download
memory/5084-55-0x0000000008F70000-0x0000000009304000-memory.dmp

Filesize
3.6MB

Download