cfe701c32299a1a659abdfedd357926875310233e22b02eb59fb224c89fe4d8a

Analysis

max time kernel
141s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ed4c76010c938c38ad503c552fcde97.exe
Size

134KB
MD5

1ed4c76010c938c38ad503c552fcde97
SHA1

ba6701add4a0cb103978a8877bff2dbdc2355e08
SHA256

cfe701c32299a1a659abdfedd357926875310233e22b02eb59fb224c89fe4d8a
SHA512

1ae624c7658af8536f1f1a115e05d08a10b9c2aa817f3dc6f39d716496f1848cdef3f502e6bbd70b5cfc4d5f4471a8271f6cd48df5fe7c8ed72cfd823d455575
SSDEEP

1536:8QTpallndzt8usk8Ih5t2d/r1h0HdUye8S3IHhgHKmmMaTKhJ1tujsk8nauWf7Sm:8QollZEpI52d/pKHdR7a+Q389jDU5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	1ed4c76010c938c38ad503c552fcde97.exe

Executes dropped EXE 1 IoCs

pid	Process
1600	MicroS0FT.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kill.bat	MicroS0FT.exe
File created	C:\Windows\SysWOW64\system_ylmy.exe	MicroS0FT.exe
File opened for modification	C:\Windows\SysWOW64\system_ylmy.exe	MicroS0FT.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\MicroS0FT.exe	1ed4c76010c938c38ad503c552fcde97.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2452	1ed4c76010c938c38ad503c552fcde97.exe
2452	1ed4c76010c938c38ad503c552fcde97.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1600	MicroS0FT.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1600	2452	1ed4c76010c938c38ad503c552fcde97.exe	91
PID 2452 wrote to memory of 1600	2452	1ed4c76010c938c38ad503c552fcde97.exe	91
PID 2452 wrote to memory of 1600	2452	1ed4c76010c938c38ad503c552fcde97.exe	91
PID 1600 wrote to memory of 2992	1600	MicroS0FT.exe	92
PID 1600 wrote to memory of 2992	1600	MicroS0FT.exe	92
PID 1600 wrote to memory of 2992	1600	MicroS0FT.exe	92

C:\Users\Admin\AppData\Local\Temp\1ed4c76010c938c38ad503c552fcde97.exe
"C:\Users\Admin\AppData\Local\Temp\1ed4c76010c938c38ad503c552fcde97.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\MicroS0FT.exe
  "C:\Windows\MicroS0FT.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\kill.bat""
    3⤵
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MicroS0FT.exe

Filesize
104KB

MD5
ac4d820756217d25d7213d01b391d119

SHA1
a2aa19f25798ad718c3e70cafb94de67fa6e7d32

SHA256
c17b5c9b4e4f0f11ba0984b2dce7686cb7013a14e097b67bf835f22b1438ffac

SHA512
5e6b0d4a67d981e50f7c61117e6c4a67e7c6ca65c08531f02c521c7f719ab311311975c777d1150b6dcc456bbfce63d575b5dd5be58a947c82bdd64d113c6e01

Download Submit
C:\Windows\SysWOW64\kill.bat

Filesize
76B

MD5
89167d6d87c61492684384027e42b499

SHA1
506f388e534a30145cbfd01c1084d3cdffb0c669

SHA256
d961f25d139da5312f59c689406f1fe0e359185b4215e730ba91f53dda9723d8

SHA512
5cdb6a033c45edfbb3faf8fe2b73e43fb70c6fd14f29f2a175e32dbff0cc2b7a6e2167274b1a1fd3313e60382959ba719aa0ba9f0c88e567068e8a43b6d93493

Download Submit