c25a422adb9d3a908fce0bea29bb9b1e3d79caf699a9d4b73ed3c64ce73b9c1c

Analysis

max time kernel
0s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a70ddda3494f38620d8225722dcaa0b.exe
Size

124KB
MD5

1a70ddda3494f38620d8225722dcaa0b
SHA1

4ba005c61bfbbf44bb3a6d4e074db32ce1067cbb
SHA256

c25a422adb9d3a908fce0bea29bb9b1e3d79caf699a9d4b73ed3c64ce73b9c1c
SHA512

89871bfb42e4fa890ebee8c42d17a1b1c3a71be8c5e38eec29f05bc34071372024e9ab72ab9e2fdf3495f51165da427d6f0c2f9d564b569405a381a34fab848d
SSDEEP

3072:vifRL+q31nJ/XOXVh06/0NEUYynNELl1RAX61qrZLnznF:6fBZ1nJSZ/MY2ilfAq1IZt

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	1a70ddda3494f38620d8225722dcaa0b.exe

Executes dropped EXE 1 IoCs

pid	Process
4144	1a70ddda3494f38620d8225722dcaa0b.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4948-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x00070000000231f2-5.dat	upx
behavioral2/files/0x00070000000231f5-17.dat	upx
behavioral2/memory/4144-19-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4144-18-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4948-16-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x00070000000231f5-15.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4144	4948	1a70ddda3494f38620d8225722dcaa0b.exe	18
PID 4948 wrote to memory of 4144	4948	1a70ddda3494f38620d8225722dcaa0b.exe	18
PID 4948 wrote to memory of 4144	4948	1a70ddda3494f38620d8225722dcaa0b.exe	18

C:\Users\Admin\AppData\Local\Temp\1a70ddda3494f38620d8225722dcaa0b.exe
"C:\Users\Admin\AppData\Local\Temp\1a70ddda3494f38620d8225722dcaa0b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\Temp\MT\1a70ddda3494f38620d8225722dcaa0b.exe
  "C:\Windows\Temp\MT\1a70ddda3494f38620d8225722dcaa0b.exe"
  2⤵
  - Executes dropped EXE
  PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\MT\1a70ddda3494f38620d8225722dcaa0b.exe

Filesize
8KB

MD5
0b3bb6c3e1b6b9947c3772a474a51b8b

SHA1
d3fd43c29ba2f54fcf3361717e4973ea25f08f8d

SHA256
17e63f55c6e66829a68380e9cde3caccce02ef17f8b5ac1c3df4e3b378d5e2dc

SHA512
6dff18f6cb0f502809d1a46ba6e9cab16a6097f271f438f40fa3ab9a6a69b4ba83b02e4b929edb253b3435abd53aae481b1ac454baf3f42c296ed7517a340a2f

Download Submit
C:\Windows\Temp\MT\1a70ddda3494f38620d8225722dcaa0b.exe

Filesize
21KB

MD5
23cfe179d6f8fa439940127ddbc1b610

SHA1
feb886af81708926929b0346b5fc85da31d43cfb

SHA256
be4ac67dd2b96085c094edaed5727cfec594aff1899c10ae07fbce6887516865

SHA512
a0ec1d0040a2ea20b1418d46e8dd19ea1ccff0451fd6346a7c8b53d4e4b32aef0dfd0d3553bcb99490cb43847fa05474d15f48bad05789a9fbe44d07f9e26bd5

Download Submit
C:\Windows\Temp\MT\1a70ddda3494f38620d8225722dcaa0b.exe.2

Filesize
22KB

MD5
eb60c901e46a3f850e0ddb54346dc463

SHA1
bd3c06f25fe9b548c1801d3c237cc37c7a987824

SHA256
d8868c3928889441016c75b822f8399909512c21bab2527cff7fab3218ece43a

SHA512
56a6bb2849b9a4733de50b8b522b4de806379d8b8515a8d24b80197c2574a645e91f0ad7fdbd6d39851da7d60f98778155ef4e6a2c5f438a9b8cab8e77646e41

Download Submit
memory/4144-19-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4144-18-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4948-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4948-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download