6f59b4ed351bf7c9bf8ef0eeb856022770ac5e75c9d250a9b9b8a3d65af58dfd

Analysis

max time kernel
12s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1265d502db673afa98d7599e2696398d.exe
Size

103KB
MD5

1265d502db673afa98d7599e2696398d
SHA1

61e56f447f69edbf29812add6b71c679d26271a6
SHA256

6f59b4ed351bf7c9bf8ef0eeb856022770ac5e75c9d250a9b9b8a3d65af58dfd
SHA512

d52c2c2592cb4defb007271f6d0d6978a8efd7733c4385ae065f0ed9aca4d8bfef275a96c632f741f47c4605a871fa96c98f830be587c443b5a8087defb92971
SSDEEP

1536:CqJW3IBqpAXmqmuyBXSu6omC/w539lGzNP5x2d5sh073Y:dJW38/4EdVGNxxjh0LY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	1265d502db673afa98d7599e2696398d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1232	1960	1265d502db673afa98d7599e2696398d.exe	94
PID 1960 wrote to memory of 1232	1960	1265d502db673afa98d7599e2696398d.exe	94
PID 1960 wrote to memory of 1232	1960	1265d502db673afa98d7599e2696398d.exe	94

C:\Users\Admin\AppData\Local\Temp\1265d502db673afa98d7599e2696398d.exe
"C:\Users\Admin\AppData\Local\Temp\1265d502db673afa98d7599e2696398d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ykj..bat" > nul 2> nul
  2⤵
  PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ykj..bat

Filesize
210B

MD5
7e2b1d7f68a3d6ae58687757f2928d0d

SHA1
81a6bdc13c716712f1f55213cfe9ca481df5f62e

SHA256
589fe92e9f195c6f7f1715e30a9a6eb75a24be954f5bccee8e3cc183d2f1c47f

SHA512
57f52f0afae34671336535f825c0cd66df34a64e11aa895da2bc37cbf31c48ddc65b47238ddb5f1aabe68257bd9dd3f48daf12b206a450b041f3910127b73c07

Download Submit
memory/1960-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1960-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1960-1-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1960-4-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download