8db0768035d2f3e459b3a22baf1a19af8fdcce6ccd43bf7efd521a941ac4deb7

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 21:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1dc7e2164b701678519519c7250757b5.exe
Size

309KB
MD5

1dc7e2164b701678519519c7250757b5
SHA1

1714e52b3e6d7e467544ba6dd7d6a52eca5db8b0
SHA256

8db0768035d2f3e459b3a22baf1a19af8fdcce6ccd43bf7efd521a941ac4deb7
SHA512

678f1b50db9b8fed9eb48b43f4530cfe1065427f5bf2d7a71f978a3000ad98cf0ace061f586ec6a0b4237500d5f51180aeb9b39f6ec039b0aaf5e0ed44fde716
SSDEEP

6144:hTfFDbRnOTrfQJvgR+KrY4AGcAGbJ1dabmCgP7:H5OLAKKASjabmCk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	1dc7e2164b701678519519c7250757b5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 968	560	1dc7e2164b701678519519c7250757b5.exe	89
PID 560 wrote to memory of 968	560	1dc7e2164b701678519519c7250757b5.exe	89
PID 560 wrote to memory of 968	560	1dc7e2164b701678519519c7250757b5.exe	89
PID 968 wrote to memory of 4544	968	mshta.exe	93
PID 968 wrote to memory of 4544	968	mshta.exe	93
PID 968 wrote to memory of 4544	968	mshta.exe	93

C:\Users\Admin\AppData\Local\Temp\1dc7e2164b701678519519c7250757b5.exe
"C:\Users\Admin\AppData\Local\Temp\1dc7e2164b701678519519c7250757b5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" "javascript:new ActiveXObject('WScript.Shell').Run('Devourer_3.0_1651423716354.bat -Fil',0);window.close()"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Devourer_3.0_1651423716354.bat" -Fil"
    3⤵
    PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Devourer_3.0_1651423716354.bat

Filesize
136KB

MD5
1c14a9c3f62c4b9539a9d974816620b2

SHA1
f63094fc99248403eae50b6d6de945b1826d28ad

SHA256
0b35b0f0a6efb761f56787e11f8a9cf3d593b4aca68a71edc638cdbbcbe92cf7

SHA512
28b586e9c622a0cbe18627a255ac58f9418aa5fc3817da7178b060f47e04d7ceeb47694c2e8ebc57ed5534a01d64e4fc582035031572d819d9ec6b65a2c7965d

Download Submit
memory/560-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download