0ba861c0ce7987a9ae34bd4a7d2356e04347ce031ac25ceebd425558f2e1ff32

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01d1fe14e340028d6d52c78d9ec0113c.exe
Size

109KB
MD5

01d1fe14e340028d6d52c78d9ec0113c
SHA1

eb4deb43b8f1543a28384df9a8d5460d435c37b5
SHA256

0ba861c0ce7987a9ae34bd4a7d2356e04347ce031ac25ceebd425558f2e1ff32
SHA512

40fc3933e81ee2ffaba749df13f1e08b8e6d8e8cef2d34031e33ed0b2722a3cac218539f420e1f16e64769191e29f5f8aadde53df92a3e8f0c96a3f065d18d4c
SSDEEP

3072:SD3Hl5JVSa4GhR+lbTlVd3c6h2o1DNoh:y3Xok+llLQoC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	01d1fe14e340028d6d52c78d9ec0113c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 4868	2532	01d1fe14e340028d6d52c78d9ec0113c.exe	92
PID 2532 wrote to memory of 4868	2532	01d1fe14e340028d6d52c78d9ec0113c.exe	92
PID 2532 wrote to memory of 4868	2532	01d1fe14e340028d6d52c78d9ec0113c.exe	92

C:\Users\Admin\AppData\Local\Temp\01d1fe14e340028d6d52c78d9ec0113c.exe
"C:\Users\Admin\AppData\Local\Temp\01d1fe14e340028d6d52c78d9ec0113c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Fwj..bat" > nul 2> nul
  2⤵
  PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Fwj..bat

Filesize
210B

MD5
0aa473d48c033c165f75fa52aa6aedb2

SHA1
9af128e7e677f9646b680a5ca2b9fe7e1a565680

SHA256
1b4896acd75178bb78f81796c0415d0443b2a8f267c03fb1e079ae234600abf7

SHA512
a378b475c41455b433be50dead32ce03a405a02be0b30e401a5f772e31ba499416f6fdec9519ae12481c5551097fcd0ddce99aaaae1247ca008cea32c0ce5b01

Download Submit
memory/2532-1-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2532-0-0x0000000001F80000-0x0000000001F8E000-memory.dmp

Filesize
56KB

Download
memory/2532-3-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download