97a3660e3d6f4fa4bf27ffad99d1d0a0495fa5f7c463bf2a0752d0f9c1387d4a

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08285378a795457ebdeb6e6c20f8ecca.exe
Size

947KB
MD5

08285378a795457ebdeb6e6c20f8ecca
SHA1

2ec9cf21a4fb24ec7c6be7f6503aa7695c19ffe9
SHA256

97a3660e3d6f4fa4bf27ffad99d1d0a0495fa5f7c463bf2a0752d0f9c1387d4a
SHA512

d40e98fbf26c2ee8ca7e9d3fa90c85c62f3f4524fcaef0c1b81cb9a7125162bed6104d55bd792b685dd9f801caf3606e22df39ba6d8e5fc8feb27f92a1ce2a64
SSDEEP

24576:1t/+S7t8st/FDlYP5nlgKGGuv8Cs9mBlmPYP:1kC1lYtlg5Guc9C

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	internal08285378a795457ebdeb6e6c20f8ecca.exe

Executes dropped EXE 1 IoCs

pid	Process
232	internal08285378a795457ebdeb6e6c20f8ecca.exe

Loads dropped DLL 1 IoCs

pid	Process
5088	08285378a795457ebdeb6e6c20f8ecca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3536	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
232	internal08285378a795457ebdeb6e6c20f8ecca.exe
232	internal08285378a795457ebdeb6e6c20f8ecca.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
232	internal08285378a795457ebdeb6e6c20f8ecca.exe
232	internal08285378a795457ebdeb6e6c20f8ecca.exe
232	internal08285378a795457ebdeb6e6c20f8ecca.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 232	5088	08285378a795457ebdeb6e6c20f8ecca.exe	31
PID 5088 wrote to memory of 232	5088	08285378a795457ebdeb6e6c20f8ecca.exe	31
PID 5088 wrote to memory of 232	5088	08285378a795457ebdeb6e6c20f8ecca.exe	31
PID 232 wrote to memory of 1648	232	internal08285378a795457ebdeb6e6c20f8ecca.exe	101
PID 232 wrote to memory of 1648	232	internal08285378a795457ebdeb6e6c20f8ecca.exe	101
PID 232 wrote to memory of 1648	232	internal08285378a795457ebdeb6e6c20f8ecca.exe	101
PID 1648 wrote to memory of 3536	1648	cmd.exe	99
PID 1648 wrote to memory of 3536	1648	cmd.exe	99
PID 1648 wrote to memory of 3536	1648	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\08285378a795457ebdeb6e6c20f8ecca.exe
"C:\Users\Admin\AppData\Local\Temp\08285378a795457ebdeb6e6c20f8ecca.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Local\Temp\nsy4E80.tmp\internal08285378a795457ebdeb6e6c20f8ecca.exe
  C:\Users\Admin\AppData\Local\Temp\nsy4E80.tmp\internal08285378a795457ebdeb6e6c20f8ecca.exe /baseInstaller='C:/Users/Admin/AppData/Local/Temp/08285378a795457ebdeb6e6c20f8ecca.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsy4E80.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\23777.bat" "C:\Users\Admin\AppData\Local\Temp\0986D596A13C4C1BA6BF11D6AFCFD356\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1648

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
1⤵
- Runs ping.exe
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3803511929-1339359695-2191195476-1000\$I3U4F5P

Filesize
96B

MD5
592bfb732c7b275da0a0341106aa183e

SHA1
18f62c1fae8170cb9a9fd8e8b976b297db0c594f

SHA256
abcf48e1b7f466e2a98b027c480c5536231b70171829213a71659c1af4e4640e

SHA512
09ef63ed8e5be2b5c3c11996eff2d83a8fc79a29416dcb4c74a0515dd50a51426acd2d11129ac0bec957aff02101cd9344dc380b6c4937d9aa8cc54945951000

Download Submit
C:\Users\Admin\AppData\Local\Temp\0986D596A13C4C1BA6BF11D6AFCFD356\0986D596A13C4C1BA6BF11D6AFCFD356_LogFile.txt

Filesize
6KB

MD5
2140eba960137504f57e279acfbf2a0b

SHA1
322ac4fc2d6654af3e5f6a59e726fe7a64bb8d2b

SHA256
587bb25587faab7ce21d001fa9c7fb4bf9af88587c01ccfe36eb08a2426fa86d

SHA512
d4f97f5f2f1e0edddba9ffc046b5eb3421fec477659751cf2968e760729f0ffa89c206ca0720dfe7e3f94d8c13b3f069df751b93ae4418cea424d1129d18dfd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0986D596A13C4C1BA6BF11D6AFCFD356\0986D596A13C4C1BA6BF11D6AFCFD356_LogFile.txt

Filesize
8KB

MD5
33a9b5b70d53c56abb4c8d0a971a93aa

SHA1
1e00d46570140b8af40ef23084b688127a225a35

SHA256
32716f5fc89bdfc540c67b164898173b4e75cbad2809c6a7b9921ff446e13031

SHA512
54da8ff96e5ad87d5605071808010157dd3b9e263a06020773615ff5e6179f2d76c628abf28f0a42b0167fe95c79d2cd0dc2fffe76946f59482811008a83fc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0986D596A13C4C1BA6BF11D6AFCFD356\0986D5~1.TXT

Filesize
41KB

MD5
f8c1056f66e8fb3e73ee3179ef155faf

SHA1
9cdb927123059e2142b585a5016dd0f3f91d7354

SHA256
f95b2521078aecfd0b651b2c54a51a138f9bbe55a2fad5be6602a49941b258b7

SHA512
0cf0701c286c0a2380a2a5d70ce66adcbb1db99c65657472aa2ba55ddc0fa023ad66a70d8890d30788a30f0f152030a9a526282ba83c38ac2b16dfa467cd3b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\23777.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4E80.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4E80.tmp\internal08285378a795457ebdeb6e6c20f8ecca.exe

Filesize
305KB

MD5
178e5e6c15aaa969639782101181c9f2

SHA1
32b71b8ed85a30954f25073dca512e34a214ecbc

SHA256
a97f67ec7b73013fb1da690948c2fd9ac7415904c573a4441536dde001443c3b

SHA512
d8b72123f2a9be0a22f5f1a146ff0b3f4e2e52229efdcb527a4ab1820e837495d8ad652e5c03434d364e34a04200407d50726a49549b609b82563a14ee22c1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4E80.tmp\internal08285378a795457ebdeb6e6c20f8ecca.exe

Filesize
452KB

MD5
b57f755b9ecb2ca2d5e24954fcb465bb

SHA1
d406b7a5dcd2539bf569750839e4f8b5be529683

SHA256
714018b6be1d849d0584d88f31ed93e548a8775e56b1eb8c919f9f5e078e8f0c

SHA512
714003d1551cad162a9952ad6e2b4aa7a1ec62aa838e197aa8a260e10795a04f8db5aca0f6e4cbe4d2024db457952e740cdd2be9cb117a521d26d22b03088196

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4E80.tmp\internal08285378a795457ebdeb6e6c20f8ecca_icon.ico

Filesize
31KB

MD5
176afc1d8aa151fcf20f361da6775f3e

SHA1
b562aa1767d0a146175df1ddd32c566f9ea8f93b

SHA256
0b1635554e553cb372f17c35910507cec6a042d1749cb6772827cdf53ede5afe

SHA512
d03f3905d95f6a628664c2b08b7daf5c61499e401d556fcf3a782f8624b17bd94b122732754080b9f1560fda117a259e0668321abd7a0299bc5e3bc2470642f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4E80.tmp\internal08285378a795457ebdeb6e6c20f8ecca_splash.png

Filesize
150KB

MD5
373eba2d68f220848ba957cad15f8943

SHA1
9bb839dbc2acb853cf1ffb8b7bdaeab74dd35caf

SHA256
48590bcb650c7e3786217b77d5d30afb4a9a822e8dd412ab403e38732bb4ecd2

SHA512
d7486d93f7981e7c3e8ff15a00b75833bf464802398bbe22d2c61973584599878b0f55a58169e053aa92a00097be9e30c50d32da02e7ae042e958edb94d71406

Download Submit
memory/232-78-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/5088-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download