8f565a3a0a3b0eacf8b3c79bc89f22307e7752fd2c54b00e932f3849c23c4ce9

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00d1bc2a5267cb57c0db2c11a4b4b283.exe
Size

37KB
MD5

00d1bc2a5267cb57c0db2c11a4b4b283
SHA1

b06987ab499195e4c97743b0debc367476c097ae
SHA256

8f565a3a0a3b0eacf8b3c79bc89f22307e7752fd2c54b00e932f3849c23c4ce9
SHA512

062efb8f4ed975f83d7ab718f1d465fee31b41bc5d40f86beade65de28dd3c64562868f115e835875f8a98e7f87fcd2e234b3ceafd71fe5d5d6fd35362804f2e
SSDEEP

768:XmShH8GPcg4+aLK877Sg5QUSkoHtYu4xpbQV7LTlq36EBZhg9qn+ol:XmShHvoLK8KASko54/QV7LTU3hBZhg9A

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	00d1bc2a5267cb57c0db2c11a4b4b283.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\webmedia.chl\CLSID	00d1bc2a5267cb57c0db2c11a4b4b283.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\webmedia.chl	00d1bc2a5267cb57c0db2c11a4b4b283.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\webmedia.chl\CLSID\ = "{F00E59F9-65EA-4BAC-AD14-FAFEE832151B}"	00d1bc2a5267cb57c0db2c11a4b4b283.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1932	00d1bc2a5267cb57c0db2c11a4b4b283.exe
1932	00d1bc2a5267cb57c0db2c11a4b4b283.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1664	1932	00d1bc2a5267cb57c0db2c11a4b4b283.exe	105
PID 1932 wrote to memory of 1664	1932	00d1bc2a5267cb57c0db2c11a4b4b283.exe	105
PID 1932 wrote to memory of 1664	1932	00d1bc2a5267cb57c0db2c11a4b4b283.exe	105

C:\Users\Admin\AppData\Local\Temp\00d1bc2a5267cb57c0db2c11a4b4b283.exe
"C:\Users\Admin\AppData\Local\Temp\00d1bc2a5267cb57c0db2c11a4b4b283.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuhrn0.cmd" "
  2⤵
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zuhrn0.cmd

Filesize
275B

MD5
f7755aa073c3168e45ba59677ce89dc7

SHA1
74ac95e5566448adcafa859e268778f3f63a5342

SHA256
9ca706e816bd07b19958b361e7ad63cedabef2f4f67035ee2eae949a8d796866

SHA512
4274ed64e2d496908511509a7995d4353856263b71ae0bc9faeb8987c7b7b4a353398abcb7cfb2ef838775429d5ed44246a6b708e811ed5811a07f6d9692f866

Download Submit
memory/1932-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-1-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-3-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download