692ff43904c85618a7b776b10848d3065c62f4d99d064c8f808f51108aacc98b

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21835e64fbf57bba0e4c0e98fa9f1082.exe
Size

93KB
MD5

21835e64fbf57bba0e4c0e98fa9f1082
SHA1

7bf8a0e7b790f4a86464bc12e2d99eef3914e95a
SHA256

692ff43904c85618a7b776b10848d3065c62f4d99d064c8f808f51108aacc98b
SHA512

2f80ad79046a5da4fb24518bbe82e5a31d2ff49d9ef4036605eb4b3e256534596c8503bbbd456a69b3354b28f391bde0874712356e707026555e70ab03f7d677
SSDEEP

1536:VyQT05QG70AQz6CwvonnZfr0od8yQoAX2D357dGweFrBNo8DirUrlFIy:/ZD0o3A2lZirztrlFIy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	21835e64fbf57bba0e4c0e98fa9f1082.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 4224	3008	21835e64fbf57bba0e4c0e98fa9f1082.exe	90
PID 3008 wrote to memory of 4224	3008	21835e64fbf57bba0e4c0e98fa9f1082.exe	90
PID 3008 wrote to memory of 4224	3008	21835e64fbf57bba0e4c0e98fa9f1082.exe	90

C:\Users\Admin\AppData\Local\Temp\21835e64fbf57bba0e4c0e98fa9f1082.exe
"C:\Users\Admin\AppData\Local\Temp\21835e64fbf57bba0e4c0e98fa9f1082.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Vwz..bat" > nul 2> nul
  2⤵
  PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Vwz..bat

Filesize
210B

MD5
755fafc4d8c7d12541244e8393dcfa12

SHA1
cc13c1c3d593bb6d4b1f232369132e8a9dc344fd

SHA256
0d57865e55d9e3d923c62d177af57d6f68abe397b9f84b947eeaae72ab801cfd

SHA512
90dd3aadc61e9d30f7cd06e7fae02fa597bfb8ed2fcdcdf7be7194a8f4de286379871dc783c723d8c81df95d75895fa367bc66651c6d35d1e1ba767e0f88869d

Download Submit
memory/3008-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3008-1-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/3008-2-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3008-3-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/3008-5-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download