245c13b24d69789cfa90b90bda38c590a4d9857e82e284717386ec45488b44b4

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 07:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5d382acd28f6ff9b677dee3c4a37f5f2.exe
Size

367KB
MD5

5d382acd28f6ff9b677dee3c4a37f5f2
SHA1

3904dc7771c527b7f9069e9194c24cde0bb8c41b
SHA256

245c13b24d69789cfa90b90bda38c590a4d9857e82e284717386ec45488b44b4
SHA512

ef13845d3290f7e2477bffdc981f8b567ecbbd0b94ca24be2d24802777d80d28e284c7b691cb81d29f06f40ae02015bbe5f1987a6dd23123600b9be82b654d35
SSDEEP

6144:5c9EzidIRfLbii5bkgVuN+xSKV7Wkrsf7LsFRtGIEQH5jWCF:qeOd8XikbkgaISKVlKW5j3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	5d382acd28f6ff9b677dee3c4a37f5f2.exe

Executes dropped EXE 1 IoCs

pid	Process
2952	3BCE2C1C-3FF0-4D55-8820-60401FABE6AD.exe

Loads dropped DLL 1 IoCs

pid	Process
4460	5d382acd28f6ff9b677dee3c4a37f5f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 2952	4460	5d382acd28f6ff9b677dee3c4a37f5f2.exe	23
PID 4460 wrote to memory of 2952	4460	5d382acd28f6ff9b677dee3c4a37f5f2.exe	23
PID 4460 wrote to memory of 2952	4460	5d382acd28f6ff9b677dee3c4a37f5f2.exe	23
PID 4460 wrote to memory of 4624	4460	5d382acd28f6ff9b677dee3c4a37f5f2.exe	27
PID 4460 wrote to memory of 4624	4460	5d382acd28f6ff9b677dee3c4a37f5f2.exe	27
PID 4460 wrote to memory of 4624	4460	5d382acd28f6ff9b677dee3c4a37f5f2.exe	27

C:\Users\Admin\AppData\Local\Temp\5d382acd28f6ff9b677dee3c4a37f5f2.exe
"C:\Users\Admin\AppData\Local\Temp\5d382acd28f6ff9b677dee3c4a37f5f2.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4460
- C:\e1631a96-bfee-4861-8ae5-433c9ca3369c\3BCE2C1C-3FF0-4D55-8820-60401FABE6AD.exe
  "C:\e1631a96-bfee-4861-8ae5-433c9ca3369c\3BCE2C1C-3FF0-4D55-8820-60401FABE6AD.exe" -y -pBCCDB688-5658-41EB-A69D-12D61718CBCF
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" c:\e1631a96-bfee-4861-8ae5-433c9ca3369c\start.hta
  2⤵
  PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\e1631a96-bfee-4861-8ae5-433c9ca3369c\3BCE2C1C-3FF0-4D55-8820-60401FABE6AD.exe

Filesize
107KB

MD5
f2f68d02e438b2eb938762c175b9fe84

SHA1
478855126e417acee6e2fb311ee79c1094d29a8d

SHA256
fa10034895238cb9215f253c4dcf55ce0bb6b324f6bf60c1abcb214261360e85

SHA512
0dffe85463310161da737ecf5d9007813683e7285f91b103c87ef796c47ef12a3f1b857d8eb1cdc4f27a9c0abd92e400c6b912fa890a9929a52f7b31fd021276

Download Submit
C:\e1631a96-bfee-4861-8ae5-433c9ca3369c\3BCE2C1C-3FF0-4D55-8820-60401FABE6AD.exe

Filesize
57KB

MD5
ebba2b4a39f228731b1e412a5b66f44d

SHA1
41b5023e934c66d72f6f3bdc1a990900d940aea7

SHA256
e977a415168c876a49436dd50986e63c1c551e41fd3de49ae0b50a68a8d8bc6d

SHA512
d857a120d9ec6e618e7ad283b55c108cfd6ef07023dd3e4c2d0d762a9f7f20ac0f47366a58f4b3e7cda62b78041ef26f48d79e023cb9cdd057b1be33aaebeeee

Download Submit
C:\e1631a96-bfee-4861-8ae5-433c9ca3369c\3BCE2C1C-3FF0-4D55-8820-60401FABE6AD.exe

Filesize
1KB

MD5
3e97bb77b224ac0a7af1f2b938d9184b

SHA1
226e1ac4fb3951fde0485c5fd8f92679e939b77d

SHA256
3cc072d66180709d7ec81de1228a838b53fcce297ab3120b649dabb27ceea5a7

SHA512
1abae9c88bf2e997cac4443d8abea20529ef9d024fb10a531142b6b102ebb13c7086c231b393fec7ac7a22abe80af8454df021dcc2c0bc2cdaf10fefd0db0498

Download Submit
C:\e1631a96-bfee-4861-8ae5-433c9ca3369c\InstallerHelper.dll

Filesize
38KB

MD5
4624671a1ade12ce599ee37272fec909

SHA1
e1276b6303fb36cafcbb3bfa657385e6d8c1eee4

SHA256
2acb81ec006e5eae07b67357a664dbc22577ba46c7e5a3b6ef88a50c1a664ba8

SHA512
35997260512dc126feaf08f6f28101328eb972245b97349c75d7906cad6c2e1855d0498578cb20d3243e21de1952f324bf55d442b2529820d0e5ad92830c85f9

Download Submit
\??\c:\e1631a96-bfee-4861-8ae5-433c9ca3369c\InstallerHelper.dll

Filesize
68KB

MD5
febb195815e259bc938091b4254048dc

SHA1
1f3d438055d8928af53eae1495498466d681149a

SHA256
a10125988c50c7a31849dc260158c0885cd3cae5bc788269788be15195f5a394

SHA512
2aeef77b557f2d812444ce15e0f0a4efd9f5b105ba1c7f329c880f0bf4405be5a048ba919bf2f94fcd5fd49af41118360c42260def3a96fc980a2664d7f7d0d5

Download Submit
\??\c:\e1631a96-bfee-4861-8ae5-433c9ca3369c\loader.gif

Filesize
1KB

MD5
e88ebd85dd56110ac6ea93fe0922988e

SHA1
684a31d864d33ff736234c41ac4e8d2c7f90d5ae

SHA256
379d1b0948f8e06366e7bcd197c848c0cc783787792f2224f98c16b974d920eb

SHA512
211b0760c9a887fc13c479617daeb6d5b6ee0ccd06c214967abd3e1f14204f72e34a6dd5eb778a9fc6ac7fc8bd63bdef80b347abab97becda16924cb3e164dc7

Download Submit
\??\c:\e1631a96-bfee-4861-8ae5-433c9ca3369c\start.hta

Filesize
1KB

MD5
db4ada697fa7a0e215281533d52578e9

SHA1
fb755ea8371edf5065dc53e21eb413603f9eba7f

SHA256
f949fd6ca734830572128b4348dfd039419140c7ef501d80773f71ca3f0ed78c

SHA512
9ba1d2658785dd3c88b4399132f8330dc58872235e19ca9854b0e453d8cc7a58de0c8be84da376a72b5851073f531c95b2c6afa84f43053561ca8e6751d6e2f3

Download Submit