51f26ea72ac2a5922ba91e46fb53f19da0ab2281305c7908185e2fb8bf882119

Analysis

max time kernel
3s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11bd1c955d2e2cb6a1f0cf1065f5eff3.exe
Size

912KB
MD5

11bd1c955d2e2cb6a1f0cf1065f5eff3
SHA1

49476f320592ca048d6e0c5bdb639c30e0f20f54
SHA256

51f26ea72ac2a5922ba91e46fb53f19da0ab2281305c7908185e2fb8bf882119
SHA512

4c5488bc8e9e15dd41822a5abaadaae6c1e1fc171813b9cd5fc042c3b7dd2719c5533d9326e0b4ec9db94cfc87f14a87dc2d511eb6ca1d9689724ee6889931c6
SSDEEP

24576:b1dlZo5vzNPIZDRl7+re4AYa1g6QpmMLczBCkbs:b1dlZovzN8DzKAYa1zMwzA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	11bd1c955d2e2cb6a1f0cf1065f5eff3.exe

Executes dropped EXE 1 IoCs

pid	Process
3696	THAMER.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 3696	2236	11bd1c955d2e2cb6a1f0cf1065f5eff3.exe	20
PID 2236 wrote to memory of 3696	2236	11bd1c955d2e2cb6a1f0cf1065f5eff3.exe	20
PID 2236 wrote to memory of 3696	2236	11bd1c955d2e2cb6a1f0cf1065f5eff3.exe	20

C:\Users\Admin\AppData\Local\Temp\11bd1c955d2e2cb6a1f0cf1065f5eff3.exe
"C:\Users\Admin\AppData\Local\Temp\11bd1c955d2e2cb6a1f0cf1065f5eff3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Extracted\THAMER.exe
  "C:\Extracted\THAMER.exe"
  2⤵
  - Executes dropped EXE
  PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\THAMER.exe

Filesize
34KB

MD5
94223a45f34f2bfe6ee34b41650f6575

SHA1
3a50c02ce2c48a07331b60320f1f6cdedd1d4350

SHA256
5f0834f33c0806c61b0aac462561361e35dd320db61c1eba6e601566d20fec58

SHA512
fa2b74b8da88c8144146c9f1fdd8ae7ae63e9cfde5d823d72871b703d745da5a69608aa0df9e9ebf658eb536f545ddd494f25df3c699b0df3cf209eac70d3870

Download Submit
C:\Extracted\THAMER.exe

Filesize
16KB

MD5
f41d8b4598c07d7fb1c3337f450589d1

SHA1
9c2425d187831e46f8bbbe59d4729c1f897bbb16

SHA256
ff32ef9b894d256a150a821122ff0f7c5cc062844cc2a527d8a1dcd5a51eaf2e

SHA512
177fc3752121c537389ffc4d4f974ed739ef24faffe51a6cafb116519e1509aa7c94790be2ece170c9920509e747bad82d78dec9fb026b9562c99069204e04c9

Download Submit
C:\Extracted\THAMER.exe

Filesize
32KB

MD5
2db4afa390c1da018a44de53c47e1985

SHA1
5ff93aba2ac1fb242e61e1de80641d02455a1aff

SHA256
a1828d07298419c8dbd225852cabe9fb243779949afbc76b39e1f497cce91255

SHA512
63bef0224fa1047ecf669ffcdb0edb4cdfaf1add9c6257f7bf3b4e72bc1f2f99940c838408f8d0bccd09c39c80c260560c925653dcc0814aa95956202ec7a9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
221B

MD5
91b23f67051f2c75a0f7310a5774f821

SHA1
1f71c2ae879080c80b773e1c1606963e948073c6

SHA256
19fa2c3de8ab03c05ad0c90bc46c0d01e53617b34088f77589e8dd697dfdc6d1

SHA512
9027803a5bfa33bca056ccccdbd39a24d0724f86d50ffbba49accc9eaf12b9e64fa02fd6fa31a0c83509ff24cf93f481e298ffef156957c942f22b68f98c1da4

Download Submit
memory/3696-32-0x0000000076B80000-0x0000000076C70000-memory.dmp

Filesize
960KB

Download
memory/3696-30-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/3696-29-0x0000000077D92000-0x0000000077D93000-memory.dmp

Filesize
4KB

Download
memory/3696-28-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/3696-27-0x0000000000A00000-0x0000000000A3A000-memory.dmp

Filesize
232KB

Download
memory/3696-26-0x0000000000520000-0x0000000000524000-memory.dmp

Filesize
16KB

Download
memory/3696-25-0x0000000001000000-0x00000000010CA000-memory.dmp

Filesize
808KB

Download
memory/3696-33-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/3696-31-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/3696-36-0x0000000076B80000-0x0000000076C70000-memory.dmp

Filesize
960KB

Download
memory/3696-35-0x0000000000A00000-0x0000000000A3A000-memory.dmp

Filesize
232KB

Download
memory/3696-34-0x0000000001000000-0x00000000010CA000-memory.dmp

Filesize
808KB

Download