077a9894f88c417ca51054ac6ffe581b877d7eff46591df6094ade310558454f

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1f863947d46d6d7b3c19b2ba2f37cd6.exe
Size

30KB
MD5

e1f863947d46d6d7b3c19b2ba2f37cd6
SHA1

842848e315fe61b2b67ced5ec41b0d2d2ead8c6a
SHA256

077a9894f88c417ca51054ac6ffe581b877d7eff46591df6094ade310558454f
SHA512

2dbeafb3e41041158be0111eca3b5ea89030117ce24432fcd62b93e8eda1396fab4752628ef0d9a08c6604d885e7320712a24ec91d594fa7d864bcf92defaf84
SSDEEP

192:dBRaonwR2FkQMdcseaeZC1tA5WDC4e2vYwWTH:dbnwR2FRnlaeZC1t324YNL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	e1f863947d46d6d7b3c19b2ba2f37cd6.exe

Executes dropped EXE 1 IoCs

pid	Process
2496	hummy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2496	2384	e1f863947d46d6d7b3c19b2ba2f37cd6.exe	91
PID 2384 wrote to memory of 2496	2384	e1f863947d46d6d7b3c19b2ba2f37cd6.exe	91
PID 2384 wrote to memory of 2496	2384	e1f863947d46d6d7b3c19b2ba2f37cd6.exe	91

C:\Users\Admin\AppData\Local\Temp\e1f863947d46d6d7b3c19b2ba2f37cd6.exe
"C:\Users\Admin\AppData\Local\Temp\e1f863947d46d6d7b3c19b2ba2f37cd6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\hummy.exe
  "C:\Users\Admin\AppData\Local\Temp\hummy.exe"
  2⤵
  - Executes dropped EXE
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hummy.exe

Filesize
30KB

MD5
7ce98b71c38897c8583e6726b188ebac

SHA1
03f0c9cf5e13109b492e497e68bc934a929264b5

SHA256
9e606b55e2f7585e0bd2bb56efca242ddc85f089d9704feab354ac64cd9fa40f

SHA512
032e4dd01cd404fae2caeb887c7c02c16f2d4f308b49e083d0e0d47aaa44c3a9882a38743a5bd94eb3526f8ec99b1e63945fda7f3bab98fc320f5c32e1a2de78

Download Submit