d480efc801b92db4f4ae3eb45c1f7047b480808d036775b1ade26aa27fc3d4b5

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

496888c25c68da48c4e3f9a4ef9a3ddf.exe
Size

824KB
MD5

496888c25c68da48c4e3f9a4ef9a3ddf
SHA1

0c6478d01af3b9642013fceca0ed212ad4f6594a
SHA256

d480efc801b92db4f4ae3eb45c1f7047b480808d036775b1ade26aa27fc3d4b5
SHA512

4c9c063bb7024ae29ffa7e247a8d7a3b09996500343a7305f315297f41c4054001311171d6b0df42195953e01987875f91ddfd1fcf4eaaa6f1ee5c535f3b29c8
SSDEEP

24576:mF2QVOArcsxVCJPPILCqEJXaedtOCLLLLLLLLL9LLLLLLLLLoLLLLLLLLL9LLLLx:QVOLPYLhEFprK5RV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	496888c25c68da48c4e3f9a4ef9a3ddf.exe

Executes dropped EXE 2 IoCs

pid	Process
4776	ope6448.exe
1064	opeD5C0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1856	4776	WerFault.exe	92
1372	4776	WerFault.exe	92

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 4776	4792	496888c25c68da48c4e3f9a4ef9a3ddf.exe	92
PID 4792 wrote to memory of 4776	4792	496888c25c68da48c4e3f9a4ef9a3ddf.exe	92
PID 4792 wrote to memory of 4776	4792	496888c25c68da48c4e3f9a4ef9a3ddf.exe	92
PID 4792 wrote to memory of 1064	4792	496888c25c68da48c4e3f9a4ef9a3ddf.exe	94
PID 4792 wrote to memory of 1064	4792	496888c25c68da48c4e3f9a4ef9a3ddf.exe	94
PID 4792 wrote to memory of 1064	4792	496888c25c68da48c4e3f9a4ef9a3ddf.exe	94

C:\Users\Admin\AppData\Local\Temp\496888c25c68da48c4e3f9a4ef9a3ddf.exe
"C:\Users\Admin\AppData\Local\Temp\496888c25c68da48c4e3f9a4ef9a3ddf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Local\Temp\ope6448.exe
  "C:\Users\Admin\AppData\Local\Temp\ope6448.exe"
  2⤵
  - Executes dropped EXE
  PID:4776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 224
    3⤵
    - Program crash
    PID:1856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 232
    3⤵
    - Program crash
    PID:1372
- C:\Users\Admin\AppData\Local\Temp\opeD5C0.exe
  "C:\Users\Admin\AppData\Local\Temp\opeD5C0.exe"
  2⤵
  - Executes dropped EXE
  PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4776 -ip 4776
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4776 -ip 4776
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wowshell.xml

Filesize
419B

MD5
861cf6ac468cfaf737d6123c9133e0c7

SHA1
143e8d16d3d427a97791957691706e92863dd30e

SHA256
224c77d4208a79b3f681c1dc2577b9b86d46bcdd7e8ab925695aff00ac962be6

SHA512
d7603b47409faab40d75b3e08cdea949456c594fc270be873dae962128a2f33b7a8fffd1256c8a576a7587d59fe8c44a53f95644e92ae4bd73f48bf9227f92bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wowshell.xml

Filesize
546B

MD5
fe73e640ea4ab6dce8b40797b8fa7010

SHA1
576cebb877e7b3fb57b4096bef10d10b79b7ed14

SHA256
728f08c8e2ab36756759eb127286ae09a52b79a69d27de2e3c9714a520fb0aa7

SHA512
aa4502faa2bdcc036aae4b535707c49c3f4c8515c1d1950173d93d695f89a5907cff57aa648b04d0c152ac8dbefc29ea00413cf1185fdd9cbaa24d85882273b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ope6448.exe

Filesize
45KB

MD5
e754c082c01f04165327d8ed8c0c1ed0

SHA1
32f700cfccdd59b80408417b147a0b333b7882a0

SHA256
a71e004ce75e9c7f51a9a6b4c5cbb15328ed12932c3809a1a809b3cf7a775a22

SHA512
8c1a2a22b3d5aba8f976788666eef88a8d1a0e03d7e07ffb2fc671ac4d19b8a9273c02a1fb86acc98dde675e418904dfaf4f686c55721053bd21bc136fdd3111

Download Submit
C:\Users\Admin\AppData\Local\Temp\opeD5C0.exe

Filesize
736KB

MD5
a9f83e2ad2f4eb40604bf3c8cb9eea77

SHA1
1e77ddc36daf3bc97a49c8cbc983ab4f0d5db383

SHA256
7ad759a50812a2feee1e6db7c1b1f85d87b76036cbf0dfff900793c8dc8a2232

SHA512
eb2da7d9b2371b081008e3b5e1c952f972f23d985c46395b4c591f5a5298bd069960b3f5341dee24b77bfafc6047e3552d41b57ce3dd51d6de4153fad5f653c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\opeD5C0.exe

Filesize
349KB

MD5
75b23a6cdb6e14977f268faa9c029978

SHA1
eea6aba643255a90f8598c71e6aee5ee1b831a9b

SHA256
c21346daf13363b3b120a8a296ee9b4b90d8ee08ff822eaaff81c7f2aef55a01

SHA512
07e08bfa079dca03b916cb70c7f7c2e582226c22c2913bab87884b56d06deefcc2fda7588f20a44ac42147c9da11a9e4df73a8abb152c5055565742e10655b63

Download Submit
memory/1064-40-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1064-41-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/4776-11-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/4792-0-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4792-21-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download