f619484090ebbe96ee99eac61b5ba76acf3063a114b5ff1d8f1464ef98553adf

Analysis

max time kernel
1s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2023, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7c31f9bbf574bc22b058cc67ad503f9.exe
Size

908KB
MD5

f7c31f9bbf574bc22b058cc67ad503f9
SHA1

1581e7f3b778303068451d1eaa3e309fdd9d188b
SHA256

f619484090ebbe96ee99eac61b5ba76acf3063a114b5ff1d8f1464ef98553adf
SHA512

6bacd170f5ac04617df5466677ef13963a7db4c0e5196a3716c789fc4b3cbb0b24c5a4262a52d6836fb30940fcaf419364cc1bcf309c9c9f51bcf79a9f05c366
SSDEEP

24576:8/NiRWfP4WOfJ/418E3X4ur1FYM0/5b3MomTlZx:uYUtOfJFE3X4urY5hAoY7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	f7c31f9bbf574bc22b058cc67ad503f9.exe

Executes dropped EXE 1 IoCs

pid	Process
2284	nzy4linWjhqSjOVfKdCq.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	f7c31f9bbf574bc22b058cc67ad503f9.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f7c31f9bbf574bc22b058cc67ad503f9.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	f7c31f9bbf574bc22b058cc67ad503f9.exe
File created	C:\Windows\assembly\Desktop.ini	f7c31f9bbf574bc22b058cc67ad503f9.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f7c31f9bbf574bc22b058cc67ad503f9.exe
File created	C:\Windows\nzy4linWjhqSjOVfKdCq.exe	f7c31f9bbf574bc22b058cc67ad503f9.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	f7c31f9bbf574bc22b058cc67ad503f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1784	2284	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2284	2480	f7c31f9bbf574bc22b058cc67ad503f9.exe	37
PID 2480 wrote to memory of 2284	2480	f7c31f9bbf574bc22b058cc67ad503f9.exe	37
PID 2480 wrote to memory of 2284	2480	f7c31f9bbf574bc22b058cc67ad503f9.exe	37

C:\Users\Admin\AppData\Local\Temp\f7c31f9bbf574bc22b058cc67ad503f9.exe
"C:\Users\Admin\AppData\Local\Temp\f7c31f9bbf574bc22b058cc67ad503f9.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\nzy4linWjhqSjOVfKdCq.exe
  "C:\Windows\nzy4linWjhqSjOVfKdCq.exe"
  2⤵
  - Executes dropped EXE
  PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2284 -ip 2284
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 904
1⤵
- Program crash
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\nzy4linWjhqSjOVfKdCq.exe

Filesize
92KB

MD5
018415a98e5de3a99b3acbaa220bdb9e

SHA1
91b0019f341b677078860fc06ab0318d4b6d9c96

SHA256
0fd114c97be0de5633afffef793015809b0c977681a141f733c239f2452c88bd

SHA512
616959c5661dfe42091402ebf023b8cbfa412187b7dc8818ef64eb81974646895636f9507ac8288716f59791bc2f297a39fbc438d45c2bb88015acda93bebb68

Download Submit
C:\Windows\nzy4linWjhqSjOVfKdCq.exe

Filesize
93KB

MD5
c1e130d088323a7e3b771186ca411fca

SHA1
cb4add2c3d6f647633a895af8d6382e99809ce5c

SHA256
89a3127cc64dbdca37074ba941f095c339b24e72e35fddcf8677f2cd47058f06

SHA512
e821a55f0bb0ba3bba055d36b002e6558e55a95861091d3b1667a12a305916e722bf4203a95686e48b453d3feca72258b7616b72fcecf26f781e466619ec80fe

Download Submit
memory/2284-19-0x0000000000840000-0x000000000092E000-memory.dmp

Filesize
952KB

Download
memory/2284-24-0x0000000005910000-0x0000000005EB4000-memory.dmp

Filesize
5.6MB

Download
memory/2284-26-0x0000000005400000-0x000000000549C000-memory.dmp

Filesize
624KB

Download
memory/2284-27-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/2284-28-0x00000000052F0000-0x000000000530C000-memory.dmp

Filesize
112KB

Download
memory/2284-25-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/2284-23-0x00000000722C0000-0x0000000072A70000-memory.dmp

Filesize
7.7MB

Download
memory/2284-29-0x00000000722C0000-0x0000000072A70000-memory.dmp

Filesize
7.7MB

Download
memory/2480-0-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/2480-2-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/2480-1-0x0000000001AB0000-0x0000000001AC0000-memory.dmp

Filesize
64KB

Download
memory/2480-22-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download