77e515cd40dba7f6d5389f0b4547e056c3d26373ee9d7878d4d0836fb2487d73

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

093482ba49649454005a286b63314bee.exe
Size

120KB
MD5

093482ba49649454005a286b63314bee
SHA1

4418282b6a8ff59b14f34bc7a0b0deabb61af1f0
SHA256

77e515cd40dba7f6d5389f0b4547e056c3d26373ee9d7878d4d0836fb2487d73
SHA512

3de62cfd5b7c0abae9d8b28d478eed18db8cbfebe0b7c6f80f1c4f6d3da7e7fcd4616f424e41f0b01ee6847f9ee276cc2d62a1fa3c63252108b89d569f6f34a2
SSDEEP

1536:/SjaDCgzh/pwY5tk+Xdu1jozq3z1bBR9CgGEi1xtTucxLCdP0YuYQGu41XAtt:Djoqtk4du1vJ5l7i1zLcMYuYBCH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	093482ba49649454005a286b63314bee.exe

Executes dropped EXE 1 IoCs

pid	Process
4464	2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\2.exe	093482ba49649454005a286b63314bee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2448	4464	WerFault.exe	90

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5088	093482ba49649454005a286b63314bee.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 4464	5088	093482ba49649454005a286b63314bee.exe	90
PID 5088 wrote to memory of 4464	5088	093482ba49649454005a286b63314bee.exe	90
PID 5088 wrote to memory of 4464	5088	093482ba49649454005a286b63314bee.exe	90

C:\Users\Admin\AppData\Local\Temp\093482ba49649454005a286b63314bee.exe
"C:\Users\Admin\AppData\Local\Temp\093482ba49649454005a286b63314bee.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\2.exe
  "C:\Windows\2.exe"
  2⤵
  - Executes dropped EXE
  PID:4464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 412
    3⤵
    - Program crash
    PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4464 -ip 4464
1⤵
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\2.exe

Filesize
100KB

MD5
c17009d2e40d4a664da9b323c6a673d8

SHA1
737ac6e33894a32f9e852f5ca3ab7aaf8ac38fd1

SHA256
83dc007f7223cbedebcde30cb60c7e58280f9098e4a4e601c9517fa6c85360d2

SHA512
f2dcc5b04dce12fe294306fff6f5917623e2560263cf144431f5ef4364393b4cdb0c7799371adf751ed1e002126c6b69a75cc2c00ed9c88e919cb7c3dea30807

Download Submit
memory/4464-12-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4464-14-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download