e024c0d8bebc6ad4b4fa57ac7f2e8f5bc7cd03d2664d4cf85d27ed3b6c8ac266

Analysis

max time kernel
94s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48dd834a4efd45bc3475f4aa81ca2069.exe
Size

117KB
MD5

48dd834a4efd45bc3475f4aa81ca2069
SHA1

21d9837fe0f1474a810f34e9c827a41276271ee0
SHA256

e024c0d8bebc6ad4b4fa57ac7f2e8f5bc7cd03d2664d4cf85d27ed3b6c8ac266
SHA512

296fc2c75649dc7c648079e17180a7c4c52b0f7506d209df3c3abc723862b76e86ee93857aa6928ef3e70be0face5bcf85ee5231e5bd555e042b320829cc7d32
SSDEEP

1536:x20MvdMLJ85GEuPuyerN2VA59YEQLfyvRmGWAGwSq841iJnzDs5gFRd:xGd+9uyiIrhf1GWA1y41iJ85Ud

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	48dd834a4efd45bc3475f4aa81ca2069.exe

Executes dropped EXE 1 IoCs

pid	Process
1212	wExtract.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wExtract.exe	48dd834a4efd45bc3475f4aa81ca2069.exe
File opened for modification	C:\Windows\wExtract.exe	48dd834a4efd45bc3475f4aa81ca2069.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	48dd834a4efd45bc3475f4aa81ca2069.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 1212	5092	48dd834a4efd45bc3475f4aa81ca2069.exe	42
PID 5092 wrote to memory of 1212	5092	48dd834a4efd45bc3475f4aa81ca2069.exe	42
PID 5092 wrote to memory of 1212	5092	48dd834a4efd45bc3475f4aa81ca2069.exe	42

C:\Users\Admin\AppData\Local\Temp\48dd834a4efd45bc3475f4aa81ca2069.exe
"C:\Users\Admin\AppData\Local\Temp\48dd834a4efd45bc3475f4aa81ca2069.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\wExtract.exe
  "C:\Windows\wExtract.exe"
  2⤵
  - Executes dropped EXE
  PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\wExtract.exe

Filesize
63KB

MD5
31f5845ea326e27a69f6f997db0d12b7

SHA1
87856b744d2b1cec8db453f8cb9362464deba75e

SHA256
bdcc68e5cde3f9be5f851d278276cecc54fa095877bb40edd429bdc9bde48c80

SHA512
a210f4d1a1df81e5bcecfa53b400186225007056c9bc97257531d0f27d435a927bc2591d1a73d9f3137f0433e1c091c9a377f43a9351ded8535508c2b60c44b6

Download Submit
C:\Windows\wExtract.exe

Filesize
75KB

MD5
392999007d9fc0119f25b51abb19ba34

SHA1
3d9cffbab444b55a22b24502e3a825116cd69fcf

SHA256
2e24a7e150ddfafe4ad937f98e7a18e45d852d509c42484a8df6c12831542305

SHA512
f662b0f7741285672c2a80d54c68f1eba011ece284c45d520878fc638e74841de9a6d9330df25c9068eab62b3a7f5d4fcd42782967183b6de6fbe0632c7d2b08

Download Submit
memory/5092-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5092-2-0x0000000002170000-0x0000000002174000-memory.dmp

Filesize
16KB

Download
memory/5092-1-0x0000000002170000-0x0000000002172000-memory.dmp

Filesize
8KB

Download
memory/5092-63-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download