12e2ec3a7568d46479306a177eb14d991b613a7cb3a9499d80facc6dc8129d2c

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02a5638788e0ab39c4cf822ba35787bc.exe
Size

40KB
MD5

02a5638788e0ab39c4cf822ba35787bc
SHA1

39d7d10908309d1f38592ce04ed23bcf857d6e85
SHA256

12e2ec3a7568d46479306a177eb14d991b613a7cb3a9499d80facc6dc8129d2c
SHA512

216b63e1334e666bee79af3f753fafb2f40e405750b5435c97a5a70884246abf50be910d396e1f8f6d09c6e18a38e7b212cd44d828b22c900da22fed33a43e43
SSDEEP

768:So20WNjWJaMOs13VT8YZTeHS2NOehee2Y/xaBeYwTOKI5dJIle33Gtq1IimOg1ID:F2NlWJaMb3hll24ehee2vh0OKRc30q1f

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\ActiveX Key	exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\ActiveX Key\StubPath = "C:\\Windows\\exe.exe"	exe.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	02a5638788e0ab39c4cf822ba35787bc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	02A563~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	exe.exe

Executes dropped EXE 3 IoCs

pid	Process
3340	02A563~1.EXE
3064	exe.exe
3264	exe.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\w32_sysbm.bat	02a5638788e0ab39c4cf822ba35787bc.exe
File created	C:\Windows\exe.exe	02A563~1.EXE
File opened for modification	C:\Windows\exe.exe	02A563~1.EXE
File created	C:\Windows\w32_systm.exe	02a5638788e0ab39c4cf822ba35787bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3264	exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2940	2936	02a5638788e0ab39c4cf822ba35787bc.exe	36
PID 2936 wrote to memory of 2940	2936	02a5638788e0ab39c4cf822ba35787bc.exe	36
PID 2936 wrote to memory of 2940	2936	02a5638788e0ab39c4cf822ba35787bc.exe	36
PID 2940 wrote to memory of 3340	2940	cmd.exe	29
PID 2940 wrote to memory of 3340	2940	cmd.exe	29
PID 2940 wrote to memory of 3340	2940	cmd.exe	29
PID 3340 wrote to memory of 3064	3340	02A563~1.EXE	35
PID 3340 wrote to memory of 3064	3340	02A563~1.EXE	35
PID 3340 wrote to memory of 3064	3340	02A563~1.EXE	35
PID 3064 wrote to memory of 3264	3064	exe.exe	33
PID 3064 wrote to memory of 3264	3064	exe.exe	33
PID 3064 wrote to memory of 3264	3064	exe.exe	33
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55
PID 3264 wrote to memory of 3524	3264	exe.exe	55

C:\Users\Admin\AppData\Local\Temp\02a5638788e0ab39c4cf822ba35787bc.exe
"C:\Users\Admin\AppData\Local\Temp\02a5638788e0ab39c4cf822ba35787bc.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\w32_sysbm.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940

C:\Users\Admin\AppData\Local\Temp\02A563~1.EXE
C:\Users\Admin\AppData\Local\Temp\02A563~1.EXE
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\exe.exe
  "C:\Windows\exe.exe" "C:\Users\Admin\AppData\Local\Temp\02A563~1.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3064

C:\Windows\exe.exe
"C:\Windows\exe.exe" stm
1⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02A563~1.EXE

Filesize
39KB

MD5
47a4ab5a55c10fd66b5cb1eff1e40088

SHA1
ba45cd10d4c7bc3709ccc597d371e94dbe40f55a

SHA256
882235e2b9197dadad99140524a71c969245b351f4767b3efc6a242400578a24

SHA512
ce3a940702c0fecbda88c5ed8e7d172adfd1039ecb5d18f2b8584f5034fe9902aa499ab6e4e44a8d7088b64e4f8e1d032db392d13e5651d6964745c8048d73c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\02A563~1.EXE

Filesize
10KB

MD5
52cd4c41cbb39e5ac8b6b7998150e24c

SHA1
75ffb732a88fc9c660855c68355707a1aef47841

SHA256
4d9cb3ab795b541398cfc0918c509ce3ea9f364a56ff3a4cf788f42f2bc8fb91

SHA512
3be9f856699a2a59d502439c1fe83d1f7bab5d115416a7f8cc6385f7a9b67104811fdedcb9d8a15b612e30f05307d20fa37a419081e6e24cfc7ec88a8fc5bd67

Download Submit
C:\Windows\exe.exe

Filesize
37KB

MD5
9563035bd41ca6123bc09eced7931944

SHA1
42aaf014153cde2a0a990143605cb758bf8d9c83

SHA256
563fb3517ffcc7475612056db1cb83f26e7c7ecbf6884f979eea7007588d2e5a

SHA512
e6d26224f2d617d19fd2408f0e9c56373d1f19a50d9b741c5a9650a1782d3422c0f24807b87443262cf925b464e72d9f194c00b6d4c943bdc39f2e85d60c73a6

Download Submit
C:\Windows\exe.exe

Filesize
65KB

MD5
854586763dd57256c7ae57b61e7022fd

SHA1
b044c24c357d1ebe00e9b2d3a8761c20aeb8b406

SHA256
6a2deee4e1976105df675fb3dddfe77b37ebdaba59d1e05e9fc6c122b4e58d02

SHA512
8e901a948a0ea6f028be7b0b17120e5cac6a89d0b1116216b05ea158015b41192369bd0dddcefa91567dec7e176dcca827aa0b4d42c5711005be7c05a721147a

Download Submit
C:\Windows\w32_sysbm.bat

Filesize
339B

MD5
fed0a2750d4a3fd12fff2c53a14cc6ff

SHA1
4acab81e0dc32586994ae7604260a998a3845120

SHA256
fc31bf4679f0dfcda7f4b2a701a68f8880e5d80b63fd66f1883dd4f2e1a4fbe0

SHA512
91de1b008aabe03f1b77ef0321484069b08b51bceee9cd8cc6ed7d129bd0d4720658c47dd81d741b17c950c7f17d62f974a0ca33879d654faa6866ff8a0bc68d

Download Submit
C:\Windows\w32_systm.exe

Filesize
12KB

MD5
8e7e993f7be152b35969695bc9fa81a5

SHA1
1ff106aebed0b26265e60c552508b6c4d9770359

SHA256
bd0d640bbae9ff7bb36ebf19ee1242a14cef1912f54de411180dc6b8ec3ab0a7

SHA512
e5fd5efa23f4c62bba70a145a107254b44e64183c4a76dc3f32d09ffc91a7fb36894404d525b9245649e2eac4507b979fbadfba77a0006c56b02ad007b3519c4

Download Submit
memory/2936-1-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/2936-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2936-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3064-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3264-26-0x0000000010410000-0x0000000010426000-memory.dmp

Filesize
88KB

Download
memory/3264-34-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3340-21-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads