34a95a340deb0ceb5408eb394665abbb24d717099379fd22f1bad1b5b6593ec3

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 16:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7ba5d31b9057662a8925990f02202893.exe
Size

406KB
MD5

7ba5d31b9057662a8925990f02202893
SHA1

23f27966cd06d084ee9d6b79f25bed8cebeb79c8
SHA256

34a95a340deb0ceb5408eb394665abbb24d717099379fd22f1bad1b5b6593ec3
SHA512

a2158f59582f1cb4c60764e8718172a7c1a764100ef175088c35225bba934253e0fe05b108df25e4df54fba45bfbd68499d1356f7b870f38feee100611754205
SSDEEP

12288:f9tL0gh/mMFDRhmHK1QUZYa8t6mHK1QyEmHK1QFnc9:f9tQDMVRhCK2UZOt6CK2zCK2t+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	7ba5d31b9057662a8925990f02202893.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	7ba5d31b9057662a8925990f02202893.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 4268	4536	7ba5d31b9057662a8925990f02202893.exe	25
PID 4536 wrote to memory of 4268	4536	7ba5d31b9057662a8925990f02202893.exe	25
PID 4536 wrote to memory of 4268	4536	7ba5d31b9057662a8925990f02202893.exe	25

C:\Users\Admin\AppData\Local\Temp\7ba5d31b9057662a8925990f02202893.exe
"C:\Users\Admin\AppData\Local\Temp\7ba5d31b9057662a8925990f02202893.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Documents and Settings\33.vbs"
  2⤵
  PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\33.vbs

Filesize
324B

MD5
41e8368767aded380e8b1ab79347ff16

SHA1
87fe118cfa9c5f6c567a361781943c4d3342fe67

SHA256
a32e9f0fe4836cda1ac3cc4ad24b6ca255a88eeda6767907be041bee58049909

SHA512
d3f6ad4cd05dbcfcc8b3adfad029cb66ed149e55d806389b1fc25be7a888b5b49afc555d01675ffd15f894259f3e5202adeb5c1244fd98cd8cda78cfdd227d75

Download Submit
C:\Users\small.exe

Filesize
166KB

MD5
73d87a656650135c354d4ed098c12d96

SHA1
104d42840a7df622390458855dcf53f4b697a833

SHA256
74f599382895163701a919e630ee59e8ff99114e400b6f4e0c6a0f6d6f126d04

SHA512
6252e4f6bedea3985e534b28cc04b4ca2b5073817f1175d32b8926425d7a0665b59fbb635fa07204ba4a1e86e820ec5ad21dcbcb8243fa860db86462f71e6c4b

Download Submit