44bdbbbe56991ded4603ad80f5783953bf90148ab9a4c88e269b4df08f966e02

Analysis

max time kernel
177s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05ceea70089e649666acdbe3cc9c319f.exe
Size

63KB
MD5

05ceea70089e649666acdbe3cc9c319f
SHA1

d6f0097a677abed0b7764166a27592ceb2fa1df3
SHA256

44bdbbbe56991ded4603ad80f5783953bf90148ab9a4c88e269b4df08f966e02
SHA512

fc7e4fba4cf57dce7a266c3de5f3e734dbd2c5f3c9a2ee57418859246d658f09e61bd7d80e34bdfd69f1af6e3a8587bbe22e69e0b6838cdd2800ce6a6570117b
SSDEEP

1536:uufg6xNUQs0ZEjMPcqHmbBhvI1qWfiuv7tPS0xLDfk:x3xNvaIPk+qWpL1fk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	05ceea70089e649666acdbe3cc9c319f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 3832	1680	05ceea70089e649666acdbe3cc9c319f.exe	94
PID 1680 wrote to memory of 3832	1680	05ceea70089e649666acdbe3cc9c319f.exe	94
PID 1680 wrote to memory of 3832	1680	05ceea70089e649666acdbe3cc9c319f.exe	94

C:\Users\Admin\AppData\Local\Temp\05ceea70089e649666acdbe3cc9c319f.exe
"C:\Users\Admin\AppData\Local\Temp\05ceea70089e649666acdbe3cc9c319f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Adf..bat" > nul 2> nul
  2⤵
  PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Adf..bat

Filesize
210B

MD5
4e72515d557f255159a720453122a40c

SHA1
564e967243034a06b0e4b200bae0b0da8113e665

SHA256
5e07b6e7e1dc714a5fa892c23af18d84f4a482dd9adfd619e83eb879c8bd3e4c

SHA512
76ecc7e317a4318ed236b019d628f8e558663fc573423973a0898c06d216bb7bf7b1b71f1b22bd85baf49570674b818caa8982dee076a5b43c2cebf68c824790

Download Submit
memory/1680-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1680-1-0x00000000025A0000-0x00000000025C1000-memory.dmp

Filesize
132KB

Download
memory/1680-2-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1680-3-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1680-4-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1680-6-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1680-7-0x0000000002160000-0x0000000002593000-memory.dmp

Filesize
4.2MB

Download