4d00e12652478c6b9070605a9d13e454e8e89548673c68ce32c8a100a70dec43

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07e9900effbe8c25fed3060c9f6a7a0a.exe
Size

52KB
MD5

07e9900effbe8c25fed3060c9f6a7a0a
SHA1

a0d5da2bee24391e75d82fb01099915262c3ffa2
SHA256

4d00e12652478c6b9070605a9d13e454e8e89548673c68ce32c8a100a70dec43
SHA512

25fcdae2f07b73003d8bdb4436d359d54d2b781899ceb04d72ad5def23156a54779bed9ff80bb248b82382d131a74b483ee010b6286f45200e872e344e2c6489
SSDEEP

768:lZ7JsNn5YP3h9aco8X9EVPZrdiEcTMeRt6c/L03seunjfdZ0Xv1aeWVohZ7Avh/W:VI6niNxIXMeLD03EZ0Xv1ouZsvV

Score

7^/10

evasion trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	07e9900effbe8c25fed3060c9f6a7a0a.exe

Executes dropped EXE 1 IoCs

pid	Process
1016	HRY6HMMFD3Wmsi.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	07e9900effbe8c25fed3060c9f6a7a0a.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\RMXP1XMG.exe	07e9900effbe8c25fed3060c9f6a7a0a.exe
File opened for modification	C:\Windows\RMXP1XMG.exe	07e9900effbe8c25fed3060c9f6a7a0a.exe
File created	C:\Windows\HRY6HMMFD3Wmsi.exe	07e9900effbe8c25fed3060c9f6a7a0a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4516	07e9900effbe8c25fed3060c9f6a7a0a.exe
4516	07e9900effbe8c25fed3060c9f6a7a0a.exe
4516	07e9900effbe8c25fed3060c9f6a7a0a.exe
4516	07e9900effbe8c25fed3060c9f6a7a0a.exe
4516	07e9900effbe8c25fed3060c9f6a7a0a.exe
1016	HRY6HMMFD3Wmsi.exe
1016	HRY6HMMFD3Wmsi.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 1016	4516	07e9900effbe8c25fed3060c9f6a7a0a.exe	89
PID 4516 wrote to memory of 1016	4516	07e9900effbe8c25fed3060c9f6a7a0a.exe	89
PID 4516 wrote to memory of 1016	4516	07e9900effbe8c25fed3060c9f6a7a0a.exe	89

C:\Users\Admin\AppData\Local\Temp\07e9900effbe8c25fed3060c9f6a7a0a.exe
"C:\Users\Admin\AppData\Local\Temp\07e9900effbe8c25fed3060c9f6a7a0a.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\HRY6HMMFD3Wmsi.exe
  "C:\Windows\HRY6HMMFD3Wmsi.exe" wb
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\HRY6HMMFD3Wmsi.exe

Filesize
28KB

MD5
abac1aafcb93bf0f111b670cad5531a0

SHA1
ae5addd9dfe4f0fe4ebe8fa82250631ffe529b60

SHA256
7009aec1d769bae1e0f900f0ba7922785e2f645be9d1f52c93e030395313d68d

SHA512
cf5bece7df80b9d721a0df6271181aea7717edb312a4f1b9cb1634d90394edff1327d6c34ba7e1e0f7f206971150a369fb18120a18e396bd1f8a8c087e945a15

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads