8be250e4e06d0d1d6e51cc2675f4c3639fa52fbc594099df3c0e98635d299188

Analysis

max time kernel
155s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b071f9ef45cabd0294a31549339dd55.exe
Size

2.2MB
MD5

5b071f9ef45cabd0294a31549339dd55
SHA1

f9fda92882daaec185b79b05fd840e1525fddab9
SHA256

8be250e4e06d0d1d6e51cc2675f4c3639fa52fbc594099df3c0e98635d299188
SHA512

2afa20c6f5e2179cdb39fa88b55f8637898387c3294d79718f76af85aee2129b46e9d10f230931cd3da9cb7d4719a3df48ec42bffecee9d80ef1becfa1b2ad55
SSDEEP

49152:ufbjKpwf1OdBT+103W8dlcK8999tgstw7ruaLUeu9UdL7:9UOfu03ffcK87IP7ruHN90

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	5b071f9ef45cabd0294a31549339dd55.exe

Loads dropped DLL 2 IoCs

pid	Process
5012	rundll32.exe
4044	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	5b071f9ef45cabd0294a31549339dd55.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1624	1640	5b071f9ef45cabd0294a31549339dd55.exe	91
PID 1640 wrote to memory of 1624	1640	5b071f9ef45cabd0294a31549339dd55.exe	91
PID 1640 wrote to memory of 1624	1640	5b071f9ef45cabd0294a31549339dd55.exe	91
PID 1624 wrote to memory of 5012	1624	control.exe	93
PID 1624 wrote to memory of 5012	1624	control.exe	93
PID 1624 wrote to memory of 5012	1624	control.exe	93
PID 5012 wrote to memory of 712	5012	rundll32.exe	98
PID 5012 wrote to memory of 712	5012	rundll32.exe	98
PID 712 wrote to memory of 4044	712	RunDll32.exe	99
PID 712 wrote to memory of 4044	712	RunDll32.exe	99
PID 712 wrote to memory of 4044	712	RunDll32.exe	99

C:\Users\Admin\AppData\Local\Temp\5b071f9ef45cabd0294a31549339dd55.exe
"C:\Users\Admin\AppData\Local\Temp\5b071f9ef45cabd0294a31549339dd55.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7zS866A6AA7\2.Cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS866A6AA7\2.Cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS866A6AA7\2.Cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:712
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zS866A6AA7\2.Cpl",
        5⤵
        Loads dropped DLL
        
        PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS866A6AA7\2.Cpl

Filesize
151KB

MD5
de1114c4ba00eee3f7c9bed391f1d3b7

SHA1
2fed851683d53c8a4fc84e79423a938b6700fa11

SHA256
cc68f8165e59a2ab281959771932e13ec528d2e40888f0da74051391f48f8ca0

SHA512
aa4c98e29acfc656a59a45d27fca8923c4f3798ee0eb0fe9d43f09585f6c7059a2fb0c794a366cbda766cdf91414950f924907c6fe6227215501d30d6e589f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS866A6AA7\2.Cpl

Filesize
2.1MB

MD5
0b3a02cb25e6fc8efd73337e64211da3

SHA1
95270c02e43833898abb6726ef849acb7a795376

SHA256
ebe18a6cf799adcc905b28cb725a7f19049a5e3ea9601ced01caea8b2be50eda

SHA512
2a17e9beaa7d7d0d8e4ca6c83bd10937bd93d56e152758f8d41b4774fc92f0b8f8a2970df65e64dcf544dc3e46db23c9c5e4415492794646fa0392900f7bb676

Download Submit
memory/4044-29-0x0000000002EF0000-0x0000000002FFC000-memory.dmp

Filesize
1.0MB

Download
memory/4044-28-0x0000000002EF0000-0x0000000002FFC000-memory.dmp

Filesize
1.0MB

Download
memory/4044-25-0x0000000002EF0000-0x0000000002FFC000-memory.dmp

Filesize
1.0MB

Download
memory/4044-24-0x0000000002DC0000-0x0000000002EE8000-memory.dmp

Filesize
1.2MB

Download
memory/4044-21-0x0000000000C50000-0x0000000000C56000-memory.dmp

Filesize
24KB

Download
memory/5012-14-0x0000000003130000-0x0000000003258000-memory.dmp

Filesize
1.2MB

Download
memory/5012-19-0x0000000003260000-0x000000000336C000-memory.dmp

Filesize
1.0MB

Download
memory/5012-18-0x0000000003260000-0x000000000336C000-memory.dmp

Filesize
1.0MB

Download
memory/5012-15-0x0000000003260000-0x000000000336C000-memory.dmp

Filesize
1.0MB

Download
memory/5012-12-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/5012-11-0x0000000002A40000-0x0000000002A46000-memory.dmp

Filesize
24KB

Download