Analysis
-
max time kernel
154s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 09:49
Static task
static1
Behavioral task
behavioral1
Sample
64f3a6d029c806371c2a4f34c9a72eb7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
64f3a6d029c806371c2a4f34c9a72eb7.exe
Resource
win10v2004-20231215-en
General
-
Target
64f3a6d029c806371c2a4f34c9a72eb7.exe
-
Size
88KB
-
MD5
64f3a6d029c806371c2a4f34c9a72eb7
-
SHA1
8018f72a14f57e3f36fe983c7ba9b8a61769812e
-
SHA256
79f64b68a3ed4b08b03e8aa83b71603a2d75289948378fb80f8d11e7f88ac887
-
SHA512
5516017eedd29534c22f23db289d94b7fc9f4d9db9dc0b3f9223b7f5568b2405d0e9923b2bc9d39a5389ffce894d528e963d11b2e458bc416bbbeb9e1c6e24d1
-
SSDEEP
1536:AoQIKo6iHk1t7qaeJdb3rydGs+af7f6QEiRvbl9lh:ANIKUytWaKb33glbl1
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 64f3a6d029c806371c2a4f34c9a72eb7.exe -
resource yara_rule behavioral2/memory/4932-1-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4932-2-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4932-3-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4932-4-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4932-8-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4932-17-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4932-22-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4932 wrote to memory of 680 4932 64f3a6d029c806371c2a4f34c9a72eb7.exe 107 PID 4932 wrote to memory of 680 4932 64f3a6d029c806371c2a4f34c9a72eb7.exe 107 PID 4932 wrote to memory of 680 4932 64f3a6d029c806371c2a4f34c9a72eb7.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\64f3a6d029c806371c2a4f34c9a72eb7.exe"C:\Users\Admin\AppData\Local\Temp\64f3a6d029c806371c2a4f34c9a72eb7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\a..bat" > nul 2> nul2⤵PID:680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD532b662713493956f6821550cfaf64a2b
SHA1ae422faf003a02304102c36a8933cd6b6d5c49bc
SHA2560100d817fb15e316fe34b3b131bfd85ded9aff04f676fe98230aa613f2103c30
SHA5129ba88466c29cd47bdaeca6c0d9452f5536f9c91002f02d6f7d95a9b751255254ae53cda4f38a4fa69738178d9caefdc8edbac195ebead6456688253fadd70504