48e12867b2a256b2676efd76f7672bb5a3b111a0304157b98c6c86c7d76b2d5e

Analysis

max time kernel
146s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03577bf55d4aefea88aaa1eed68e3a19.exe
Size

181KB
MD5

03577bf55d4aefea88aaa1eed68e3a19
SHA1

b993c81ba18ced9d41fc59ac647bea489b2e15f5
SHA256

48e12867b2a256b2676efd76f7672bb5a3b111a0304157b98c6c86c7d76b2d5e
SHA512

b9997d745b61f8e0e240f6282976bc4897fbcd969be45753d8c9ea0a820f48d75992923d98387f305b2505882e9a58547ff3b18e7d53ca7bd1415f0b1b01f155
SSDEEP

3072:1d9xR3G2BZMbBLBaYw0coLujNHIHaTTg4atGleXOMJrbB60FT+bBNXXl:1d93ZBZMbqYgomHIH3eMxF8BNXXl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	03577bf55d4aefea88aaa1eed68e3a19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	inf.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr34.exe	inf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr34.exe	inf.exe

Executes dropped EXE 2 IoCs

pid	Process
1092	inf.exe
2020	smgr34.exe

Loads dropped DLL 4 IoCs

pid	Process
1092	inf.exe
1092	inf.exe
2020	smgr34.exe
2020	smgr34.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zlib4.dll	inf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 1092	2144	03577bf55d4aefea88aaa1eed68e3a19.exe	40
PID 2144 wrote to memory of 1092	2144	03577bf55d4aefea88aaa1eed68e3a19.exe	40
PID 2144 wrote to memory of 1092	2144	03577bf55d4aefea88aaa1eed68e3a19.exe	40
PID 1092 wrote to memory of 2020	1092	inf.exe	41
PID 1092 wrote to memory of 2020	1092	inf.exe	41
PID 1092 wrote to memory of 2020	1092	inf.exe	41

C:\Users\Admin\AppData\Local\Temp\03577bf55d4aefea88aaa1eed68e3a19.exe
"C:\Users\Admin\AppData\Local\Temp\03577bf55d4aefea88aaa1eed68e3a19.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\WINDOWS\inf.exe
  "C:\Users\Admin\AppData\Local\Temp\WINDOWS\inf.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr34.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr34.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WINDOWS\inf.exe

Filesize
38KB

MD5
4fb080f215e51616ff645f384c6b282a

SHA1
f0803140e2782c78e9a738cae956c6cdb0052ecf

SHA256
735ffb87b2e0f7f7ce40cf4e322f2c91bdb7f56ed74272f6383b8e3e2e028589

SHA512
e823f1012be897148f461e30de945d3ba53572289789f078d7c01a9afc95d59a5d58a47b1600f88f7c9319ea7966e756818f2a5c8a6808f5c734ded21bbf90f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS\zlib4.dll

Filesize
142KB

MD5
59d245b97444b78e5ea16ae10ecc6dfb

SHA1
8b0c5e3c294834791577a4bb8ee1c70765ced775

SHA256
a4c4846802db2f9511294886f7d98ee518baccff71ad549b0c6de69237419dee

SHA512
6eb75c2154b5e2485750d29c1af92a55de8414e2058e78eedc00983062e7161ed56c159cddb49cffa64518624018812f2f3df88fe7e7d6b677f44edcaa3ff340

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS\zlib4.dll

Filesize
151KB

MD5
5d7a4013f4da7be570ed30c1992563b2

SHA1
9ee822d06a31c9a3e7b0d1951a9ce1467e729b1a

SHA256
a27d35302b792fa25ca285eca7ca0321a6e1e14531be6cfc77c154e280223c4b

SHA512
a5f04ba5b932df8a6bfcc05cd54811726e76a86a4975fc5b85394906a3d57cebe040d76f09262c8c041870b92493af9f207471c0bdd3f9aee8ced205c9be01d5

Download Submit
memory/1092-29-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1092-15-0x0000000000570000-0x000000000059B000-memory.dmp

Filesize
172KB

Download
memory/1092-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2020-37-0x0000000000490000-0x00000000004BB000-memory.dmp

Filesize
172KB

Download
memory/2020-26-0x0000000000490000-0x00000000004BB000-memory.dmp

Filesize
172KB

Download
memory/2020-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2020-31-0x0000000000490000-0x00000000004BB000-memory.dmp

Filesize
172KB

Download
memory/2020-33-0x0000000000490000-0x00000000004BB000-memory.dmp

Filesize
172KB

Download
memory/2020-35-0x0000000000490000-0x00000000004BB000-memory.dmp

Filesize
172KB

Download
memory/2020-43-0x0000000000490000-0x00000000004BB000-memory.dmp

Filesize
172KB

Download
memory/2020-45-0x0000000000490000-0x00000000004BB000-memory.dmp

Filesize
172KB

Download
memory/2020-47-0x0000000000490000-0x00000000004BB000-memory.dmp

Filesize
172KB

Download
memory/2020-51-0x0000000000490000-0x00000000004BB000-memory.dmp

Filesize
172KB

Download
memory/2144-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download