7613914b6dbabff0f4d2d183da4a2a3e8de1bcfe4625010fc37560f3547bb57a

Analysis

max time kernel
167s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13535ed352783daff5aadf844aeedda4.exe
Size

115KB
MD5

13535ed352783daff5aadf844aeedda4
SHA1

50cf6c893150b9eb9479374bbbdad14d123b8ec2
SHA256

7613914b6dbabff0f4d2d183da4a2a3e8de1bcfe4625010fc37560f3547bb57a
SHA512

a24276f808b99fc291dad7af3f4ac039fe780397e7c7148a980cbaa2175de3aef114529833af624c72b976b0854e329c822f30e00e598ec545b7d17203370bed
SSDEEP

3072:rvkGO9TMGNG0WycxnvdwOxQZbGL6msFhx2DmuA2:TkGmMGky+iO+GCh0DTz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	13535ed352783daff5aadf844aeedda4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 2788	384	13535ed352783daff5aadf844aeedda4.exe	90
PID 384 wrote to memory of 2788	384	13535ed352783daff5aadf844aeedda4.exe	90
PID 384 wrote to memory of 2788	384	13535ed352783daff5aadf844aeedda4.exe	90

C:\Users\Admin\AppData\Local\Temp\13535ed352783daff5aadf844aeedda4.exe
"C:\Users\Admin\AppData\Local\Temp\13535ed352783daff5aadf844aeedda4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Zhj..bat" > nul 2> nul
  2⤵
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Zhj..bat

Filesize
210B

MD5
8873a3658f578b6e5c9725bcb96648b2

SHA1
06d6dd062b45a0345610ebf83f489b6af7a2ecb9

SHA256
2a750785dda0c018b523a7ef9e999cb44616b644fc54bf41db441816f0f12371

SHA512
72a8b115e3f49fd5333086a30b9795fa933588f5d60259138654428cd0cb04ad63c2d580e0558ba602714d05441f330b9f8cb5a4438d7dbd15b6c43d1f62c70f

Download Submit
memory/384-0-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/384-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/384-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/384-4-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download