3a09e2b50c089eb7e0267749a325d8b5296033f8f31ce1a3f640e6da54a29992

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29dd0db15779ffb863345c54fd1709a7.exe
Size

361KB
MD5

29dd0db15779ffb863345c54fd1709a7
SHA1

1128ffb1bf60cfdffd2f9a6e05d99fd6ee4c425c
SHA256

3a09e2b50c089eb7e0267749a325d8b5296033f8f31ce1a3f640e6da54a29992
SHA512

33cc592b89ad6f8c45bf9ba91d67f16d5b1111a01dea68287c9c11aad3825d438e85a73ee7a6f58e83523127de4a20c74607c2af35c96c2d86f1beb859ea56af
SSDEEP

6144:cbeDLwwWFCARMB/6PbAkqxSCHg+bEDHH1j/A5Wd81Fap8UvqALK5bFOt+F4gLX63:j4wWFCA6BBkqxSC3byjQWL8MqAKcIjiP

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	29dd0db15779ffb863345c54fd1709a7.exe

Executes dropped EXE 1 IoCs

pid	Process
1336	Mail.ru patch_v1b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4840	1336	WerFault.exe	89

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 1336	4696	29dd0db15779ffb863345c54fd1709a7.exe	89
PID 4696 wrote to memory of 1336	4696	29dd0db15779ffb863345c54fd1709a7.exe	89
PID 4696 wrote to memory of 1336	4696	29dd0db15779ffb863345c54fd1709a7.exe	89

C:\Users\Admin\AppData\Local\Temp\29dd0db15779ffb863345c54fd1709a7.exe
"C:\Users\Admin\AppData\Local\Temp\29dd0db15779ffb863345c54fd1709a7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Users\Admin\AppData\Local\Temp\Mail.ru patch_v1b.exe
  "C:\Users\Admin\AppData\Local\Temp\Mail.ru patch_v1b.exe"
  2⤵
  - Executes dropped EXE
  PID:1336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 224
    3⤵
    - Program crash
    PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1336 -ip 1336
1⤵
PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mail.ru patch_v1b.exe

Filesize
230KB

MD5
0394f345e5571993994bff85dbac37ac

SHA1
1c74c54022b6b51fc76a71c067c207d3fe1d5143

SHA256
1f4c3cb142ba89469ec47b5bdece98562c46e983929c3527862026386a2df484

SHA512
dbed4bb587c99dd7a82d5b5bbc3cb92285cd176b01704ad2b5621b66b26b42a5f332527cb4b8ce11f56eec042504cecc53b641cd835351c2e35b089346657a81

Download Submit