55ff30c07971eb38976e968567f399606ff7fde185ccb6269e152290510e1d5f

Analysis

max time kernel
149s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1388d2341e92127dfa45e430ccaf39ea.exe
Size

1.0MB
MD5

1388d2341e92127dfa45e430ccaf39ea
SHA1

9f57b33e484997daea38700b2722935cecaccfa8
SHA256

55ff30c07971eb38976e968567f399606ff7fde185ccb6269e152290510e1d5f
SHA512

636750cb93cd34dca5ecaeeac71b4f57adbc41ffdb0b0f3a71cd62ea98c08110f341d27ab136e5699143310a5f812bd378f47fe790914523926811e2367d1018
SSDEEP

24576:pMM7OWkMM7OW40DBq1PXTvgUB7OWjxpV7OWtvr6eYifmgiH59KgwpY5D:pM3Mf0spjIU5b6Qfml59Kgw2D

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	1388d2341e92127dfa45e430ccaf39ea.exe

Executes dropped EXE 1 IoCs

pid	Process
2636	gooinjector.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe
2636	gooinjector.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 2636	3448	1388d2341e92127dfa45e430ccaf39ea.exe	24
PID 3448 wrote to memory of 2636	3448	1388d2341e92127dfa45e430ccaf39ea.exe	24
PID 3448 wrote to memory of 2636	3448	1388d2341e92127dfa45e430ccaf39ea.exe	24

C:\Users\Admin\AppData\Local\Temp\1388d2341e92127dfa45e430ccaf39ea.exe
"C:\Users\Admin\AppData\Local\Temp\1388d2341e92127dfa45e430ccaf39ea.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\~sfx0057E23EE3\gooinjector.exe
  "C:\Users\Admin\AppData\Local\Temp\~sfx0057E23EE3\gooinjector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~sfx0057E23EE3\gooinjector.exe

Filesize
92KB

MD5
7dad408eaacfb0df8d6f724903aaef55

SHA1
2381c00b65f59873bd0e93195c6f9fb99c035dde

SHA256
c49b3b01dd7a003379965bb529392dd0979e82fc55ced0761a2081a1b135910c

SHA512
4039955da5c5f5c3f51c33a1d69f89f77bcbb498549f1b1b8a1c6b0c30a2b189831787294b7a581109b189ecf1f68224225da3ee54526c73dc3dc2bb556efb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx0057E23EE3\gooinjector.exe

Filesize
93KB

MD5
5bf132b3d3319ff842953f13c2911de5

SHA1
be8741eece8af97ae52762d5b74acecaf5d3696a

SHA256
b20ee7bc5189b6bf32949c09d0e2bf5a2dff47866bd360495e777bd84b46f998

SHA512
d421b6dd570b6579ee83febd318da94221055eeaff2fb4924830652a56f978b4e4df0dcfb56cdd19b2e94d9eb7b7d095460eb9a7804d0c465925ed95977726ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx0057E23EE3\gooinjector.exe

Filesize
382KB

MD5
af13ed52b4c115160c44ff553187b67d

SHA1
795e58cdf398aea39b0937c20aa8fa5dcc8ddcf4

SHA256
8326f57497a6197e7ca76fa48fda8715ecd0fa67bb4951d20842a267ded2a2b6

SHA512
b46837387836491c2d2e36d3c36c2c551459c802b83530232efb239343fe12b19a19bcbae18083bd013bda034882d20214bdb8d07355be1a202e503e6fdd356d

Download Submit
memory/2636-16-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2636-18-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2636-21-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3448-17-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download