e042430059b0a9fb5fe4f2bdd38fa0a138b6f46ee86072ca2382b2df8c117710

Analysis

max time kernel
169s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c5ba058f68f12cc55caa6c5f60533d7.exe
Size

924KB
MD5

0c5ba058f68f12cc55caa6c5f60533d7
SHA1

27ef3d9cc808d24f8b195d88236915a1526f7d1f
SHA256

e042430059b0a9fb5fe4f2bdd38fa0a138b6f46ee86072ca2382b2df8c117710
SHA512

094828fcbb5bbe6659594730823d1f03670b12653260b2a5b850fc10e74be5537d680216432f7a08f1cf258d7bfbed37f3fc9fdbea4d7134d0f0a63e1edcb905
SSDEEP

24576:1YfYB6zV9pbAbVMRAn4vRDrSDLD6QmXI8E7wxnX:136mw84JDr2D7m4zUdX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	0c5ba058f68f12cc55caa6c5f60533d7.exe

Executes dropped EXE 1 IoCs

pid	Process
948	Server_Setup.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\program files\common files\microsoft shared\msinfo\Server_Setup.jpg	0c5ba058f68f12cc55caa6c5f60533d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 948	1400	0c5ba058f68f12cc55caa6c5f60533d7.exe	91
PID 1400 wrote to memory of 948	1400	0c5ba058f68f12cc55caa6c5f60533d7.exe	91
PID 1400 wrote to memory of 948	1400	0c5ba058f68f12cc55caa6c5f60533d7.exe	91

C:\Users\Admin\AppData\Local\Temp\0c5ba058f68f12cc55caa6c5f60533d7.exe
"C:\Users\Admin\AppData\Local\Temp\0c5ba058f68f12cc55caa6c5f60533d7.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1400
- C:\program files\common files\microsoft shared\msinfo\Server_Setup.exe
  "C:\program files\common files\microsoft shared\msinfo\Server_Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\Server_Setup.exe

Filesize
323KB

MD5
29342671dc0a818b3be4bed2e73a08dc

SHA1
2aa134455e85ccfa31ee553fc778f67630f9d8dc

SHA256
4107b5b053818bc7d554d37e53ec12d963db554599ff89e67635a4da0b3a0af2

SHA512
59910be1348a2ff96e243d3df2853f784a0575bf9e4497c1ad36bb1977079aa01c7ca96fce7ecd0a86b2519cd56cec75f8819ec5c9a6ecec75a7b671ad816952

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\Server_Setup.exe

Filesize
381KB

MD5
71ba45b36617ede94c4a70ac37112926

SHA1
7d3127f4a206b2c95a9f7be369b1ebb44d82fd12

SHA256
3efacc33a216a447f5dd8a40af5b3a5a2fd3002c8a1a0d4a22b6a9068be20746

SHA512
553116faf250691bec2c9fea07bdcaf022fe3ad976c9c3c692ea252c89defdf3d525a14c84a9fee8da04ed1e5e84ef3b754a1130ba92b78c5ce457d6604646d4

Download Submit
C:\program files\common files\microsoft shared\msinfo\Server_Setup.exe

Filesize
65KB

MD5
ab6a2c2a0edcf74d951a5f7fd910c47c

SHA1
4f9a278ce8b7ef0ef29baa655c77f4c5935615d8

SHA256
887bd8035da94389ad15c2a984e6582be817d1913ad51e257c85a50a419d32c8

SHA512
041674cc057d8d3afa04ec7070026271b177cf15ef7ad99991dcd03714a8e5d9ad528e88ced15fff1d7b2ab4efd7004d3896f6f58d81602ded38e70e7826a098

Download Submit
memory/948-51-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/1400-22-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1400-0-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1400-34-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/1400-36-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1400-35-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/1400-33-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1400-32-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1400-30-0x00000000034A0000-0x00000000034A4000-memory.dmp

Filesize
16KB

Download
memory/1400-31-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1400-29-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/1400-28-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1400-27-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1400-26-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1400-25-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1400-24-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1400-23-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1400-19-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1400-21-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1400-37-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/1400-20-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1400-15-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1400-17-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1400-16-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1400-18-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1400-14-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1400-13-0x00000000034B0000-0x00000000034B2000-memory.dmp

Filesize
8KB

Download
memory/1400-12-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1400-11-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/1400-10-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1400-6-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1400-5-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1400-4-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1400-3-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1400-38-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/1400-48-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1400-9-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1400-50-0x00000000022B0000-0x0000000002304000-memory.dmp

Filesize
336KB

Download
memory/1400-2-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1400-1-0x00000000022B0000-0x0000000002304000-memory.dmp

Filesize
336KB

Download