239da45fc8a7a9884c9a950f42dae25cf90711c3733c5eb33274861646ac4cb1

Analysis

max time kernel
0s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

088952a633a391914d077b3113b15063.exe
Size

331KB
MD5

088952a633a391914d077b3113b15063
SHA1

14fa95d1ece1ef96746eb2f4d04673b0a56323e7
SHA256

239da45fc8a7a9884c9a950f42dae25cf90711c3733c5eb33274861646ac4cb1
SHA512

6c256b2300df77e6b9cc5ff0d2bc1e21f3b5be07750d1dbaaa4acc346573fe65729526fd5489e159a6a3ff343828d97127d142c355f488b7543fa22fee8ca5be
SSDEEP

6144:bmp5IBr4WYcFIgpRL00AIPB72s9UYJ1dMvh:boeuXc3bL00AIPh2s51dMp

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	088952a633a391914d077b3113b15063.exe

Executes dropped EXE 1 IoCs

pid	Process
2064	EpicScale.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EpicScale = "C:\\ProgramData\\EpicScale\\EpicScale.exe EpicScale StartMinimized"	EpicScale.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 2064	4052	088952a633a391914d077b3113b15063.exe	23
PID 4052 wrote to memory of 2064	4052	088952a633a391914d077b3113b15063.exe	23
PID 4052 wrote to memory of 2064	4052	088952a633a391914d077b3113b15063.exe	23

C:\Users\Admin\AppData\Local\Temp\088952a633a391914d077b3113b15063.exe
"C:\Users\Admin\AppData\Local\Temp\088952a633a391914d077b3113b15063.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4052
- C:\ProgramData\EpicScale\EpicScale.exe
  "C:\ProgramData\EpicScale\EpicScale.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EpicScale\EpicScale.exe

Filesize
17KB

MD5
d0919cbffada67d14f093ad534bff3e1

SHA1
863a479ebbb0e58ad8745eaa76e7153be3777b26

SHA256
4c0fee0339dcb749aabb514d224ecc52fafaef4fe3f59bc1597b6692c056f1c7

SHA512
5aa94911d1f8fbc6d91b242dde62133a0ea70e77f282927db90a68263a82b6cbd98d6375578abce3cdad614936e6c72a0fc2bbb99633c5500d65435103fda6df

Download Submit
C:\ProgramData\EpicScale\EpicScale.exe

Filesize
9KB

MD5
c4e8a70e0cf088615b4238492f363a57

SHA1
f7263c49e5e9d81a906197492141b681731ba014

SHA256
deb6b9e568ddfaf187c5139e6368a31951992f15d9e43308a3a948274523b2c5

SHA512
bc6eea3bdcc42af407d677ccb9fe82e8e90d859951eb4c9e6b0d21929f220d9042b93f75e34777259d33f469ce319eaea52b0d223e0d84fd7eebd57c07a84aab

Download Submit
C:\ProgramData\EpicScale\EpicScale.exe

Filesize
10KB

MD5
4481e7c3e691a8e83a7ed16d4829445a

SHA1
d7a095410f275cd175ab7f719174a25f5dc39303

SHA256
48abe2dd372663015c9271edffc689f46ebcd274d9a58a45eae7ae390d6db99a

SHA512
f4e1c507134aa00f8cf18053f152b5eaa9b73e99b0bde55a8fa35d8fed68cc00e6d1c749202a814974f1f463ead5524a549028909804eb959b96689af4a41ee0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DE0551C14AAEC69FC037864EE3882EF

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DE0551C14AAEC69FC037864EE3882EF

Filesize
422B

MD5
d92ce0a8fca4b1b4ad7f26561810b5f4

SHA1
1f35410988cdfa7015b438cb76eac000c9455d6f

SHA256
0220e7f460f71a21f1b3278054f0bace98611e98737f0d87edcf45c08f916cf0

SHA512
4cd9ecf2877a2b0a743bdedee0ffa3af919550097832802a1f0001cece220c489c381a9cfb71fcd1a614bf1e74dd288ed114a341928e32bb667f993f5f462a48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DE0551C14AAEC69FC037864EE3882EF

Filesize
422B

MD5
c792915676195b0f29696dc3cb38cbe7

SHA1
eab623c3ddc049f56f2d5f5a65640799b39449f1

SHA256
30f00a86b14b048bf993b45e2851254e187a2f53adab77f221f7049c7ba4dac7

SHA512
f002c227e49757452847c034ff7c23369760dae5fd0d0a688c61e87e8d704dc6a6756c9f7615163497569876a8364f85fc89b478a7185c96c3547893fcc1d760

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DE0551C14AAEC69FC037864EE3882EF

Filesize
422B

MD5
9b66ac3f2f7bdf2a60035135ffe438fc

SHA1
dea981b14c75f2cb9927c40cc20f70a808f6ab8d

SHA256
7533da44dec9b8fbc59a212f26f64a50f1254bfcbcb433493f638690b2b78c3a

SHA512
51aafeef0f0d8c6899fefe8519a13307b15df7b2050f9ed96787b0ea431a8f7cba72e54afc0ced7e54a3676fd90fca18211584954eb346267685aee148d9f42a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads