5977f3f747105ec8579e9c07560ef29fddce6fada39bd8e1f21199f832adcf6c

Analysis

max time kernel
138s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

219ac194ce9eb97430034681f1c2cf5e.exe
Size

94KB
MD5

219ac194ce9eb97430034681f1c2cf5e
SHA1

692a86ca75a5cf83094aeaae3b9cf962c5fa71c1
SHA256

5977f3f747105ec8579e9c07560ef29fddce6fada39bd8e1f21199f832adcf6c
SHA512

45763c8950d5c0f7ca8979b85b450fd37dbac8c9fc3d43466b7172096a22dea7649268141bc57ee42d4348c6ed63a79950cc875db015d282f24fc9bea028c995
SSDEEP

1536:rfg+M2Y9oH+cpTKeyaI0Z/od8bDbRvU5yYeVYXrgITAGXBB3exYEjpepikFIy:rfgyY9oH+cTKGI0Z/oooeVYXrgI0GXW4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	219ac194ce9eb97430034681f1c2cf5e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 4004	1068	219ac194ce9eb97430034681f1c2cf5e.exe	91
PID 1068 wrote to memory of 4004	1068	219ac194ce9eb97430034681f1c2cf5e.exe	91
PID 1068 wrote to memory of 4004	1068	219ac194ce9eb97430034681f1c2cf5e.exe	91

C:\Users\Admin\AppData\Local\Temp\219ac194ce9eb97430034681f1c2cf5e.exe
"C:\Users\Admin\AppData\Local\Temp\219ac194ce9eb97430034681f1c2cf5e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Nvp..bat" > nul 2> nul
  2⤵
  PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nvp..bat

Filesize
210B

MD5
030d2c231c85c4d66a53d3978b2f135e

SHA1
e3024ea9edbe385394c8711efd0e947704f6bf08

SHA256
f1d09f6a533f053dd80cfac3272bc6b636d7242cf8c499d9043147a9528b4d25

SHA512
130695edf46a68308176e0546f0c88c2b81f7c72407a6f9591579004902306698863ec73066344c9196888f3402d1efdce37df7e35bf2b8dd208912f49f1ff37

Download Submit
memory/1068-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1068-1-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1068-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1068-3-0x0000000002300000-0x000000000231B000-memory.dmp

Filesize
108KB

Download
memory/1068-4-0x0000000002300000-0x000000000231B000-memory.dmp

Filesize
108KB

Download
memory/1068-6-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download