60ac222b8f786819ff02451962eaf3cae51b1df9689dff7f7842dcae84cb445a

Analysis

max time kernel
95s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 09:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6542a4b4b4aed6d243bb7e57c8bdd049.exe
Size

94KB
MD5

6542a4b4b4aed6d243bb7e57c8bdd049
SHA1

a4876c40c4f6513101ef83a8408afd4da9a49a16
SHA256

60ac222b8f786819ff02451962eaf3cae51b1df9689dff7f7842dcae84cb445a
SHA512

92c29fe4a5aff9e1bcc1bba7b375eb86ddc76a6dacfeecbf12f31456f544d903a1b4a7fb15450c660f05dc70f66452a49526b2f0602bf2e769da9b40aed138ef
SSDEEP

1536:vfg+M2Y9oH+cpTKeyaI0Z/od8bDbRvU5yYeVYXrgITAGXBB3exYEjpepikFIy:vfgyY9oH+cTKGI0Z/oooeVYXrgI0GXW4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	6542a4b4b4aed6d243bb7e57c8bdd049.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4380	5020	6542a4b4b4aed6d243bb7e57c8bdd049.exe	93
PID 5020 wrote to memory of 4380	5020	6542a4b4b4aed6d243bb7e57c8bdd049.exe	93
PID 5020 wrote to memory of 4380	5020	6542a4b4b4aed6d243bb7e57c8bdd049.exe	93

C:\Users\Admin\AppData\Local\Temp\6542a4b4b4aed6d243bb7e57c8bdd049.exe
"C:\Users\Admin\AppData\Local\Temp\6542a4b4b4aed6d243bb7e57c8bdd049.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Hxz..bat" > nul 2> nul
  2⤵
  PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hxz..bat

Filesize
210B

MD5
7dba9356ad616962d39d29b0594394d3

SHA1
74bd89e105b51019bb1ea1d486c2abefc04ac77e

SHA256
c3dab7faf865edc342d4517fafbaa3d3e7dc6eac329199d5fd88e9130c057fa6

SHA512
382a6ac2543dfc4c705359f8a249c74d9eb0220944f2dce36cf3b2a311e56f7a198d92c655a42eb9b05197e3930ea7cf35258696960a2b6f1af6d21488a95913

Download Submit
memory/5020-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5020-1-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/5020-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5020-5-0x0000000002300000-0x000000000231B000-memory.dmp

Filesize
108KB

Download
memory/5020-4-0x0000000002300000-0x000000000231B000-memory.dmp

Filesize
108KB

Download
memory/5020-3-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5020-7-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download