68a417dac0d3137e571e93f8e1988444b0f1489c9548af229f8224ee404d84ed

Analysis

max time kernel
148s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6573d0f953aa744bf5d5eaa23a797de4.exe
Size

93KB
MD5

6573d0f953aa744bf5d5eaa23a797de4
SHA1

4374c096d42a4adf88c1f17a9b637504e86855bc
SHA256

68a417dac0d3137e571e93f8e1988444b0f1489c9548af229f8224ee404d84ed
SHA512

3eba2db89ee2ae857d260b03493a02b9c0bcde4a6ddcc9a1921f411fe88727c8110b2015fe75d14908c2e120e32f9113c9e946441061017670c494356e064b78
SSDEEP

1536:xyQT05QG70AQz6CwvonnZfr0od8yQoAX2D357dGweFrBNo8DirUrlFIy:7ZD0o3A2lZirztrlFIy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	6573d0f953aa744bf5d5eaa23a797de4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 4540	3360	6573d0f953aa744bf5d5eaa23a797de4.exe	101
PID 3360 wrote to memory of 4540	3360	6573d0f953aa744bf5d5eaa23a797de4.exe	101
PID 3360 wrote to memory of 4540	3360	6573d0f953aa744bf5d5eaa23a797de4.exe	101

C:\Users\Admin\AppData\Local\Temp\6573d0f953aa744bf5d5eaa23a797de4.exe
"C:\Users\Admin\AppData\Local\Temp\6573d0f953aa744bf5d5eaa23a797de4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Oxf..bat" > nul 2> nul
  2⤵
  PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Oxf..bat

Filesize
210B

MD5
37997cc2b12838f46d16806a7d2975a0

SHA1
bfb7f13f0a033911c2a814b259a10dff632bf649

SHA256
cf167c047726af42e032f4904595ece8ee15de83cce2432d1b5c130178d46352

SHA512
6c8f1562dabaf4c23f80661d581d710ad4b7af29345c07bac4aa30354d319c1ed8e930e260af411a64aa6eefd7a716319c31c7d48a791b9468da923fa4991968

Download Submit
memory/3360-6-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3360-2-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/3360-3-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3360-4-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3360-5-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3360-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3360-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3360-9-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3360-10-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3360-12-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3360-15-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3360-1-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download