7863cec21e457f7d980d4aa6b86a396f4c77200d1ce1f3f67cbcf69b5bffaf35

Analysis

max time kernel
2s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0db03cdae71a3621719d7aa611852fa4.exe
Size

297KB
MD5

0db03cdae71a3621719d7aa611852fa4
SHA1

30396c6baf8adec0007548068f67ad702ab5a33b
SHA256

7863cec21e457f7d980d4aa6b86a396f4c77200d1ce1f3f67cbcf69b5bffaf35
SHA512

6c15bcbba82fd0012eb1dc4f1df5952ab406363a9be1ec7c3ba06c8447588ba8a6a5c6c7133d2fe03a51388129eff50a519683ca68088bf1cabe2f6bdabae579
SSDEEP

6144:0BVCDoKKjiAiophvutPeCAM2zJgFoajs92FtjafVi4i1O0vGMwS0dT1O:lSiAiM1uVRYd8tWw4irOb1O

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	0db03cdae71a3621719d7aa611852fa4.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\testserver.exe	0db03cdae71a3621719d7aa611852fa4.exe
File opened for modification	C:\Windows\SysWOW64\testserver.exe	0db03cdae71a3621719d7aa611852fa4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 2608	4996	0db03cdae71a3621719d7aa611852fa4.exe	72
PID 4996 wrote to memory of 2608	4996	0db03cdae71a3621719d7aa611852fa4.exe	72
PID 4996 wrote to memory of 2608	4996	0db03cdae71a3621719d7aa611852fa4.exe	72

C:\Users\Admin\AppData\Local\Temp\0db03cdae71a3621719d7aa611852fa4.exe
"C:\Users\Admin\AppData\Local\Temp\0db03cdae71a3621719d7aa611852fa4.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\SysWOW64\testserver.exe
  "C:\Windows\System32\testserver.exe"
  2⤵
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\testserver.exe

Filesize
1KB

MD5
af94bdb90ff75bb97c308d695811496a

SHA1
3d71a229c18a4f531c96ebe388bc284bc76393a6

SHA256
8fcf665fe851bec12a4d7260753c1d70504267ee96f26d7c3f7cd11460f6bea7

SHA512
71c7a60e3f3af6532ee7e2d55334ff5a8cde2eb9d2c6bae72f56b61c62aafe18d4d9527423158456d98263e2098343f2b8d97f4d4cb5472fa5ac0f56e7b23699

Download Submit
C:\Windows\SysWOW64\testserver.exe

Filesize
108KB

MD5
59d9792fa36ae49f8120b6745d4dec85

SHA1
97a221b8808600b03a9b41c78a0dc3f3a40544eb

SHA256
3f0604b4dd7844a3ebfb0a26f6826a15c0fb99c40558b728f7a75b86c00b6399

SHA512
8b3c70e3fda6ca0363cfa86e5870da75b72f55f8024cb67d826465242e928626b852758f03acf5a8d92553ff78da6cd923c7aca22ef7ce34a8d51b07345f5d6b

Download Submit
C:\Windows\SysWOW64\testserver.exe

Filesize
72KB

MD5
35c9ee91b3371850760d724f6e49b85f

SHA1
bce8e3334059b73269041f8ca108c3d202fd9998

SHA256
d8def1ed8a19fdbfaac6ae544e12a221da76169fe1847013511e6302213c543b

SHA512
79d241c44956b2bd70211f77fc6e9252601fc1e915b36f559456cf72038c74b095c58623441ba2b01c9c9d7074022fcf3e38b30422094038c774f8684e3c5dcf

Download Submit
memory/2608-9-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2608-11-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4996-8-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download