167d7d5831a7569e2bb2acb20bb529cb4c65faeb4372b960c0d81d8a1aa0ce96

Analysis

max time kernel
91s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13400eb356d127fac27b058138ededf5.exe
Size

361KB
MD5

13400eb356d127fac27b058138ededf5
SHA1

6024cbd3d7520fa799505be9e3ea9ba2013c7fba
SHA256

167d7d5831a7569e2bb2acb20bb529cb4c65faeb4372b960c0d81d8a1aa0ce96
SHA512

670631c73ba5a6e45064c4e352909622aef5e38973f079dcc67ced4e4660af69625689a1c06bfe01253c7538cb7d39285b6c3219947c36512aa42743c0855146
SSDEEP

6144:I880/RD0dIXmFLbii5bkgVuN+xSKV7Wkrsf7LsI/rhwyHR4vBAs0:I8842dIXgXikbkgaISKV8rhwyHR070

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	13400eb356d127fac27b058138ededf5.exe

Executes dropped EXE 1 IoCs

pid	Process
1128	2637C1C6-8FF9-4EDD-A281-EE57290B782D.exe

Loads dropped DLL 1 IoCs

pid	Process
1396	13400eb356d127fac27b058138ededf5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 1128	1396	13400eb356d127fac27b058138ededf5.exe	89
PID 1396 wrote to memory of 1128	1396	13400eb356d127fac27b058138ededf5.exe	89
PID 1396 wrote to memory of 1128	1396	13400eb356d127fac27b058138ededf5.exe	89
PID 1396 wrote to memory of 1380	1396	13400eb356d127fac27b058138ededf5.exe	94
PID 1396 wrote to memory of 1380	1396	13400eb356d127fac27b058138ededf5.exe	94
PID 1396 wrote to memory of 1380	1396	13400eb356d127fac27b058138ededf5.exe	94

C:\Users\Admin\AppData\Local\Temp\13400eb356d127fac27b058138ededf5.exe
"C:\Users\Admin\AppData\Local\Temp\13400eb356d127fac27b058138ededf5.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396
- C:\f856a777-1aed-4cfd-bf65-1f0f7099489a\2637C1C6-8FF9-4EDD-A281-EE57290B782D.exe
  "C:\f856a777-1aed-4cfd-bf65-1f0f7099489a\2637C1C6-8FF9-4EDD-A281-EE57290B782D.exe" -y -p4CDDDF5F-F27E-45C6-9167-BDF5980E1DD4
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" c:\f856a777-1aed-4cfd-bf65-1f0f7099489a\start.hta
  2⤵
  PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\f856a777-1aed-4cfd-bf65-1f0f7099489a\2637C1C6-8FF9-4EDD-A281-EE57290B782D.exe

Filesize
208KB

MD5
455a657c1ffe4eb3189e0a7d815d4298

SHA1
555c86f55c84ed86b7de79daf515de333a139bd7

SHA256
7916bfb5aab053bb96d5a2445a2ad9efa8459371f140316994ca9d7ceba9120b

SHA512
778c68a61ea450a92926c4b6de4ad422e8cd42581285864a11813c4d36219d631a98096997a8ef705cf1648b70564f3d6e6549e6ddfdec138867069cea33a3ad

Download Submit
\??\c:\f856a777-1aed-4cfd-bf65-1f0f7099489a\InstallerHelper.dll

Filesize
132KB

MD5
90d6192f098dbdb13a3af0c3f7caeb0b

SHA1
f5b7034a841e2d73fa55fd092e15873c10b81dd4

SHA256
87e5b137563770bae5b3f1a63327c21f41d5682f334cbcf6be687cc5f52b9d54

SHA512
0a1c0878707fc1a57bc047aadbf75f4dc976214fa4030c1468e17aa48be83f89bd20e7fc4c4529580dd9de16e4debfdd4dcf084f1bed8bacdb2c48d8ce458428

Download Submit
\??\c:\f856a777-1aed-4cfd-bf65-1f0f7099489a\loader.gif

Filesize
1KB

MD5
e88ebd85dd56110ac6ea93fe0922988e

SHA1
684a31d864d33ff736234c41ac4e8d2c7f90d5ae

SHA256
379d1b0948f8e06366e7bcd197c848c0cc783787792f2224f98c16b974d920eb

SHA512
211b0760c9a887fc13c479617daeb6d5b6ee0ccd06c214967abd3e1f14204f72e34a6dd5eb778a9fc6ac7fc8bd63bdef80b347abab97becda16924cb3e164dc7

Download Submit
\??\c:\f856a777-1aed-4cfd-bf65-1f0f7099489a\start.hta

Filesize
1KB

MD5
db4ada697fa7a0e215281533d52578e9

SHA1
fb755ea8371edf5065dc53e21eb413603f9eba7f

SHA256
f949fd6ca734830572128b4348dfd039419140c7ef501d80773f71ca3f0ed78c

SHA512
9ba1d2658785dd3c88b4399132f8330dc58872235e19ca9854b0e453d8cc7a58de0c8be84da376a72b5851073f531c95b2c6afa84f43053561ca8e6751d6e2f3

Download Submit