5c31406b5a89520d9bfb7100b63d1b756bf02ea9d8329a0263aee94b852e5b22

Analysis

max time kernel
148s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1194a882c3cdf330f378ee40f23857c9.exe
Size

121KB
MD5

1194a882c3cdf330f378ee40f23857c9
SHA1

4485062f006860e50342349f82ba725e9b275810
SHA256

5c31406b5a89520d9bfb7100b63d1b756bf02ea9d8329a0263aee94b852e5b22
SHA512

6e91498bc59dc32f6cf999e30f3c0f98c81ed1f541ea97963b0afb32b0d90ace31c523398d600b42a27d95876fef6968f2b5948e389d691abe9399197f7e4f2c
SSDEEP

1536:iUK3ATn6Q1w6ZnBbWxu5hb86HTU879i0PORJrqpzuQfNH+:SwTJPl9Wxuw6HTqR4pN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	1194a882c3cdf330f378ee40f23857c9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1640	1952	1194a882c3cdf330f378ee40f23857c9.exe	93
PID 1952 wrote to memory of 1640	1952	1194a882c3cdf330f378ee40f23857c9.exe	93
PID 1952 wrote to memory of 1640	1952	1194a882c3cdf330f378ee40f23857c9.exe	93

C:\Users\Admin\AppData\Local\Temp\1194a882c3cdf330f378ee40f23857c9.exe
"C:\Users\Admin\AppData\Local\Temp\1194a882c3cdf330f378ee40f23857c9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Bqf..bat" > nul 2> nul
  2⤵
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bqf..bat

Filesize
210B

MD5
7d8da6cd4aee271da10bd98ae854b548

SHA1
63a55a46b808209b33acd5002892a3dbb8285df1

SHA256
a137f92a85b55e4addaa4bb7687b69ad95fb505ca1874586c87b3e764f961ce3

SHA512
055c0cd94ebabcfe5b45c78db1c4e0be50fd719d6ef081acfbb7c194648d3f9f52e793cf9b02475b131048c74df7cbde73a4f9f6b2b5ec1945b1db0909f6ed08

Download Submit
memory/1952-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1952-1-0x0000000000140000-0x000000000014F000-memory.dmp

Filesize
60KB

Download
memory/1952-2-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1952-4-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download