e37615f09542956bf3bb227566ae2a01b9aef790af786ac3277cf7845a5dcfdd

Analysis

max time kernel
148s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0157aa1316c9b772545b8f469eafc0b.exe
Size

11KB
MD5

d0157aa1316c9b772545b8f469eafc0b
SHA1

3eb26ac22470678ef9f0250e02691641a012d571
SHA256

e37615f09542956bf3bb227566ae2a01b9aef790af786ac3277cf7845a5dcfdd
SHA512

59a6be74c8b07166958023ee6785283c69b26ab8c9d77c41eb7d192d4498264554c589f787890b904243eb2a6a6e5285388c487045b5dbf8852cee666b2394ba
SSDEEP

96:ZRm3QC3oSXGdTfwIqYwnumr4CX/Hx/HfpV5MIefyVnfYC2gLSw:XiQC3oSWdHwnzr9V/bpVnAC3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	d0157aa1316c9b772545b8f469eafc0b.exe

Executes dropped EXE 1 IoCs

pid	Process
4704	ymjrx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4704	4796	d0157aa1316c9b772545b8f469eafc0b.exe	19
PID 4796 wrote to memory of 4704	4796	d0157aa1316c9b772545b8f469eafc0b.exe	19
PID 4796 wrote to memory of 4704	4796	d0157aa1316c9b772545b8f469eafc0b.exe	19

C:\Users\Admin\AppData\Local\Temp\d0157aa1316c9b772545b8f469eafc0b.exe
"C:\Users\Admin\AppData\Local\Temp\d0157aa1316c9b772545b8f469eafc0b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\ymjrx.exe
  "C:\Users\Admin\AppData\Local\Temp\ymjrx.exe"
  2⤵
  - Executes dropped EXE
  PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ymjrx.exe

Filesize
11KB

MD5
ac657caba8a538a4ca05d7a55d41f08f

SHA1
8617e3d5ad9cde6c79e4f9efa202bf97e49ade8a

SHA256
05c629e0ea6deb2165338b6164635adf91879cf966ffe41302db1d82652a37c5

SHA512
e02176012f316ce532829f0c4f820a90f154b8d3882377d5d178c228a60863cd8a7798d23333d23195b2a3eeb18573082e7585523f7cdd4ad0464185890bfd70

Download Submit