2adc889abf9eb905bf4294d49e24276206316a278bc02bd9886b5637f5610ab0

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

111e34676c31799322aa49005e7cd57a.exe
Size

115KB
MD5

111e34676c31799322aa49005e7cd57a
SHA1

f069b889df8144af217c6a53d5bf2464b957330f
SHA256

2adc889abf9eb905bf4294d49e24276206316a278bc02bd9886b5637f5610ab0
SHA512

b7cbeacfc6c5232bf24426da9bd92b7c994959bb1bb8b2a27a3a3252070832fe2157b9d2af241e2f0ee0434d20e8de1cf2340cd0b77874eac66575ee61e01992
SSDEEP

1536:UkoAzrk0MkJaG3Tmi8eCWWAu4+y268gtZYL86T7EZ3c:JRzrnMZG318eCWlkyB86ZY46UO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	111e34676c31799322aa49005e7cd57a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 4988	768	111e34676c31799322aa49005e7cd57a.exe	92
PID 768 wrote to memory of 4988	768	111e34676c31799322aa49005e7cd57a.exe	92
PID 768 wrote to memory of 4988	768	111e34676c31799322aa49005e7cd57a.exe	92

C:\Users\Admin\AppData\Local\Temp\111e34676c31799322aa49005e7cd57a.exe
"C:\Users\Admin\AppData\Local\Temp\111e34676c31799322aa49005e7cd57a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Nnv..bat" > nul 2> nul
  2⤵
  PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nnv..bat

Filesize
210B

MD5
3cf769e1037f6987e19930da3a86d7b0

SHA1
05bcd16dd68f2fca27b93032fd626dd06bcc9406

SHA256
1d2c309d16dfaeaf156eb13f56306ac71aa73b0d6271dec0054876bf7dfaa922

SHA512
23dba1521469e7e75abb5623256098c2a506fad383a420c45d501da5884619cf3d8387a83b87f680f288e73b78a1b15e2b590f56f70a192fc27ab63ab93ba0e9

Download Submit
memory/768-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/768-1-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/768-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/768-4-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download