a0c82f2656dd45e63714b5fb3395ee85fc085d766548e4104fa6c428a9b51edd

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53b93ce49c85e86415969c3381a83089.exe
Size

2.5MB
MD5

53b93ce49c85e86415969c3381a83089
SHA1

9eb02c75ab2f184ab20c3c3c4f849cd59605531e
SHA256

a0c82f2656dd45e63714b5fb3395ee85fc085d766548e4104fa6c428a9b51edd
SHA512

bcee02928fac5c55020a8596a99318a67ccf27ebbad5335f79f8ba2e4a8d67a32065a89f2bbc64cf1c10f4a4df823de50ffe13df0f3eeb44cc0885be3be6de1c
SSDEEP

49152:oky796EvMtTx435MtV+Oj29Ls3t/cwCxHHlc2KP1z8o/MO2Uqed3yBI1rH:o7AEvgVOy29Ls3JslVYzjMO26im

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	53b93ce49c85e86415969c3381a83089.tmp

Executes dropped EXE 2 IoCs

pid	Process
3312	53b93ce49c85e86415969c3381a83089.tmp
1020	WMF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1020	WMF.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 3312	1988	53b93ce49c85e86415969c3381a83089.exe	89
PID 1988 wrote to memory of 3312	1988	53b93ce49c85e86415969c3381a83089.exe	89
PID 1988 wrote to memory of 3312	1988	53b93ce49c85e86415969c3381a83089.exe	89
PID 3312 wrote to memory of 1020	3312	53b93ce49c85e86415969c3381a83089.tmp	92
PID 3312 wrote to memory of 1020	3312	53b93ce49c85e86415969c3381a83089.tmp	92
PID 3312 wrote to memory of 1020	3312	53b93ce49c85e86415969c3381a83089.tmp	92

C:\Users\Admin\AppData\Local\Temp\53b93ce49c85e86415969c3381a83089.exe
"C:\Users\Admin\AppData\Local\Temp\53b93ce49c85e86415969c3381a83089.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\is-0T9H1.tmp\53b93ce49c85e86415969c3381a83089.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0T9H1.tmp\53b93ce49c85e86415969c3381a83089.tmp" /SL5="$8022C,2280122,153088,C:\Users\Admin\AppData\Local\Temp\53b93ce49c85e86415969c3381a83089.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Users\Admin\AppData\Local\Temp\is-2H1E4.tmp\WMF.exe
    "C:\Users\Admin\AppData\Local\Temp\is-2H1E4.tmp\WMF.exe" /aid=0 /sub=0 /sid=42 /name="45.rar" /fid= /stats=6BMz7mxDTQUNpgijiDNnIJZog7fxDeuBKc4ef1AlCk8FrLFLRU4H9MeqJ72CH0OlmF2lmAjWG2SyXYHhzGSeNg== /param=0
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0T9H1.tmp\53b93ce49c85e86415969c3381a83089.tmp

Filesize
1.1MB

MD5
8811a0652c18dbcf68955f99df537eb8

SHA1
70cff6c43c0f873295dc085018639dff02f33012

SHA256
d69f51e65e3944891ec9c392b3d7410d81f8f93e55b9071584bfd1d384862230

SHA512
ed2ff6cfe272a8ae260233a1bb653adc0eaae13388418a9dea692b9924999d89b8677b8669fa24dcb0c606cfca7045bef779e1c58547f3f17d5096cbbe31d60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2H1E4.tmp\WMF.exe

Filesize
1.2MB

MD5
45b6f3a84aa61256d16234711e71664b

SHA1
3edd046f1b93fa0c3568dbc1793c50df81048100

SHA256
15d7acae1d9fe2f609d6d1af1788178e15f122a6f7982f4a01119350d146ec9f

SHA512
385ffc10e962a2b72c753d83da7d3b90cb6d055013b80b2d4868adccbb4e5236b6b9004b11eec35405dd536fd5be55165b429bfe3d7259f46a94c3851e5e1187

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2H1E4.tmp\WMF.exe

Filesize
1.1MB

MD5
0fbcf6dc00fe9ec977e5bc9ccfde8564

SHA1
677d38683ecb912dd97ce993a983b804a2b7f045

SHA256
e74c32b5543673a39215c37448440f55af8a4d7cb4d4a641d1ca290f667930e9

SHA512
301f659beb04987fdbf3e500ee8711bb90af534935ce93a1741a92020e5dbcf5165d9a264fe887598f0c76d4a56d4defd87819d2c452754ac9aeb823db5bac63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2H1E4.tmp\WMF.exe

Filesize
1024KB

MD5
c1b2bf92bd9ef0b5fc3e51f57acc3326

SHA1
d5463aceb9b7f94e69d3c5daa7bfc347e78babea

SHA256
9b4316d5c503c17a33ccfe0c33ad8894e3f9303693df1901efb2f39568fa8729

SHA512
51e667650204934c7b46efaf2e6824cfb1494551f76171480aa8d245e88c78b6a6714245f7d5b9eef8c3892b8f7df9cce89b74a5966a1a080e7578202463801f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2H1E4.tmp\default.xml

Filesize
2KB

MD5
4c219b78a305d3e52c811542154bb224

SHA1
7efe3e383b29c808cfb3ad0fd90d627ea7b2b2bf

SHA256
a0dbdc08f771e32a5ef06f47b436afb270e860578971a974db0c34c0c1366a7c

SHA512
bced9584568b011c0b2013e48d6b9503f77b01c57e2049722326a40363ce42c533e590c4583cf0cf3a5391f3208db8135b5afdc27ae7359af3ded66b11e628b8

Download Submit
memory/1020-42-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1020-38-0x0000000000400000-0x00000000007E2000-memory.dmp

Filesize
3.9MB

Download
memory/1020-34-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1988-36-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1988-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1988-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3312-37-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/3312-7-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download