4dbcd6d7018656d7e02347b02bd3e4cf8f68067eb8c16e33d218003edcbe8fed

Analysis

max time kernel
152s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fef6e454b6841ebc1ceae89248b53c1.exe
Size

220KB
MD5

3fef6e454b6841ebc1ceae89248b53c1
SHA1

6e48907fa770bb7a2b89c3b4535b962aa2e2a7b1
SHA256

4dbcd6d7018656d7e02347b02bd3e4cf8f68067eb8c16e33d218003edcbe8fed
SHA512

2caff4d1525cc5ecc7adfc7a79d398192d23702c4992af6a7caf1350410685636a76e933be115b11606037d942e3aac2ed11e2b4df47f45cda3e66202a9186ec
SSDEEP

6144:HpHdcNTSggNphV+kTVYLlu5U6ox1+ZpI3NeFb:HhNTV+KVYLQ5o1+ZK3wF

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	win39.exe

Executes dropped EXE 2 IoCs

pid	Process
676	win39.exe
4588	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runAPI94 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\runAPI79.exe\""	3fef6e454b6841ebc1ceae89248b53c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	win39.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4816 set thread context of 676	4816	3fef6e454b6841ebc1ceae89248b53c1.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	win39.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 676	4816	3fef6e454b6841ebc1ceae89248b53c1.exe	91
PID 4816 wrote to memory of 676	4816	3fef6e454b6841ebc1ceae89248b53c1.exe	91
PID 4816 wrote to memory of 676	4816	3fef6e454b6841ebc1ceae89248b53c1.exe	91
PID 4816 wrote to memory of 676	4816	3fef6e454b6841ebc1ceae89248b53c1.exe	91
PID 4816 wrote to memory of 676	4816	3fef6e454b6841ebc1ceae89248b53c1.exe	91
PID 4816 wrote to memory of 676	4816	3fef6e454b6841ebc1ceae89248b53c1.exe	91
PID 4816 wrote to memory of 676	4816	3fef6e454b6841ebc1ceae89248b53c1.exe	91
PID 4816 wrote to memory of 676	4816	3fef6e454b6841ebc1ceae89248b53c1.exe	91
PID 4816 wrote to memory of 676	4816	3fef6e454b6841ebc1ceae89248b53c1.exe	91
PID 4816 wrote to memory of 676	4816	3fef6e454b6841ebc1ceae89248b53c1.exe	91
PID 4816 wrote to memory of 676	4816	3fef6e454b6841ebc1ceae89248b53c1.exe	91
PID 4816 wrote to memory of 676	4816	3fef6e454b6841ebc1ceae89248b53c1.exe	91
PID 4816 wrote to memory of 676	4816	3fef6e454b6841ebc1ceae89248b53c1.exe	91
PID 676 wrote to memory of 4588	676	win39.exe	93
PID 676 wrote to memory of 4588	676	win39.exe	93
PID 676 wrote to memory of 4588	676	win39.exe	93

C:\Users\Admin\AppData\Local\Temp\3fef6e454b6841ebc1ceae89248b53c1.exe
"C:\Users\Admin\AppData\Local\Temp\3fef6e454b6841ebc1ceae89248b53c1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\win39.exe
  C:\Users\Admin\AppData\Local\Temp\win39.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\win39.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
memory/676-5-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/676-8-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/676-9-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/676-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/676-17-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4816-0-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4816-1-0x0000000000D60000-0x0000000000D70000-memory.dmp

Filesize
64KB

Download
memory/4816-2-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4816-16-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads