d59d41a14a42fc13cdaebeb0d17b3423a84f4f197247e26475eb054192d86d4e

Analysis

max time kernel
143s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d1cabee511e052e4b9d3d8a566c4abd.exe
Size

16KB
MD5

1d1cabee511e052e4b9d3d8a566c4abd
SHA1

e085c794d0e21499b5e619971304695955c7c41d
SHA256

d59d41a14a42fc13cdaebeb0d17b3423a84f4f197247e26475eb054192d86d4e
SHA512

c6ee0667f193a6a89f61f46ec90d1391f4fd855aaf647b9fab07feb07989df81096a0b3f2d6377264cf2527ff74633fa66a8bd26fe8fd7af66e1b12e43fe61bc
SSDEEP

384:T1yD8ICl0WC4JWOz42GxUObWd78nur8DYMEgqkj6baL7n:5rBabUrdwVcME4++L7n

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	1d1cabee511e052e4b9d3d8a566c4abd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	ssvchost.exe

Executes dropped EXE 3 IoCs

pid	Process
1840	DONC.exe
1608	ssvchost.exe
1264	msvchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1840	DONC.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regm64.dll	DONC.exe
File created	C:\Windows\SysWOW64\msvchost.exe	DONC.exe
File opened for modification	C:\Windows\SysWOW64\msvchost.exe	DONC.exe
File created	C:\Windows\SysWOW64\ssvchost.exe	DONC.exe
File opened for modification	C:\Windows\SysWOW64\rmnl.dll	msvchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2652	1264	WerFault.exe	100

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 1636	1824	1d1cabee511e052e4b9d3d8a566c4abd.exe	96
PID 1824 wrote to memory of 1636	1824	1d1cabee511e052e4b9d3d8a566c4abd.exe	96
PID 1824 wrote to memory of 1636	1824	1d1cabee511e052e4b9d3d8a566c4abd.exe	96
PID 1824 wrote to memory of 1840	1824	1d1cabee511e052e4b9d3d8a566c4abd.exe	97
PID 1824 wrote to memory of 1840	1824	1d1cabee511e052e4b9d3d8a566c4abd.exe	97
PID 1824 wrote to memory of 1840	1824	1d1cabee511e052e4b9d3d8a566c4abd.exe	97
PID 1840 wrote to memory of 1608	1840	DONC.exe	99
PID 1840 wrote to memory of 1608	1840	DONC.exe	99
PID 1840 wrote to memory of 1608	1840	DONC.exe	99
PID 1608 wrote to memory of 1264	1608	ssvchost.exe	100
PID 1608 wrote to memory of 1264	1608	ssvchost.exe	100
PID 1608 wrote to memory of 1264	1608	ssvchost.exe	100

C:\Users\Admin\AppData\Local\Temp\1d1cabee511e052e4b9d3d8a566c4abd.exe
"C:\Users\Admin\AppData\Local\Temp\1d1cabee511e052e4b9d3d8a566c4abd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LFN.BAT" "
  2⤵
  PID:1636
- C:\Users\Admin\AppData\Local\Temp\DONC.exe
  C:\Users\Admin\AppData\Local\Temp\DONC.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\SysWOW64\ssvchost.exe
    "C:\Windows\system32\ssvchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\msvchost.exe
      "C:\Windows\system32\msvchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:1264
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 524
        5⤵
        Program crash
        
        PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1264 -ip 1264
1⤵
PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DONC.exe

Filesize
12KB

MD5
4c81abc74d75b392ce70e0424ce8caf3

SHA1
9c0cd17e0e34fac95fd87fa34ea6bdc5c9696030

SHA256
8d4c31c70a2815055a4b37ebdc5d08ccdbad4d94974cb6fdf98b8aeb920e7197

SHA512
f937f5cef06cce2a80928b740a29599396df0212ac3b0a9418a4ff56df286e07b092108e70bd9db70c679aad8dd456d8b5afa1149926dffc472762a4ce3f755b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LFN.BAT

Filesize
635B

MD5
ea0a2d1b76749531b21cd1b164b67182

SHA1
745afe4a63e1465960be473b5713b1b903b6913b

SHA256
e8d3f95f7cb4e37e709cf4912bf5a88771b4921b115e3412f10b533feb011120

SHA512
c418c81c70a7b8e7548bdf8aa6963c49136edaed7fac36128b2b85d8a99d1716d63dcf30aabed6a851d5fcc230445bea8983a367bfa27508950f82c78c1d4cf1

Download Submit
C:\Windows\SysWOW64\regm64.dll

Filesize
12KB

MD5
618ba27f0502751f408b211f61747827

SHA1
c78868c7b629d2e5d4f447099c9726379b6d421d

SHA256
5c5b2b741b4a7a152f9750e36c61fab1f65ef41955013db8aa487a2ab29b6eb6

SHA512
de6454a04c43c4d0d7f6604b9c0e61eea5fa88b9c15253817b7823b9e3446778331d25ca005625b69bf1f1cf01abe6b89dcdb752d6e179cb59be31f0439fe99d

Download Submit
memory/1264-34-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1608-33-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1824-0-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1824-2-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1824-27-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download