74656d0804831e013ca1095940de15f0c7492810c5bd31680345180d7264a1e1

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 00:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

083fc7df131acc445043d166db81a084.exe
Size

48KB
MD5

083fc7df131acc445043d166db81a084
SHA1

988b046ac482280b2241eb3b61512765de1bdca8
SHA256

74656d0804831e013ca1095940de15f0c7492810c5bd31680345180d7264a1e1
SHA512

eb39d86de1a0a91f0869e8c51002654b0f2ade58c0a6011db9d20078f6b0ffcf094dd5d6b6089dfe94157b1e4047010cc400d8c8b9741a4b0765a7e4941029b9
SSDEEP

768:EyW1yBtObv0U/xwPp0EoooiYECG2nZF5sZVcmxn:24Bobv7aB0EooYEC3rUVcYn

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	083fc7df131acc445043d166db81a084.exe

Executes dropped EXE 1 IoCs

pid	Process
2980	zbhnd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 2980	1556	083fc7df131acc445043d166db81a084.exe	89
PID 1556 wrote to memory of 2980	1556	083fc7df131acc445043d166db81a084.exe	89
PID 1556 wrote to memory of 2980	1556	083fc7df131acc445043d166db81a084.exe	89

C:\Users\Admin\AppData\Local\Temp\083fc7df131acc445043d166db81a084.exe
"C:\Users\Admin\AppData\Local\Temp\083fc7df131acc445043d166db81a084.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
  "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
  2⤵
  - Executes dropped EXE
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

Filesize
48KB

MD5
7c509ce24ff89a6a732bce2d5aa34654

SHA1
0c867943b7ee8b275705d54b5901360a78b8b097

SHA256
1b2ed1899fc3000c8864cf765123aaa74bfa4f5437c9bdf229c2685e93c40ffc

SHA512
edde50c38936507c664cd8bf7730a06b15f4533f196cdc4a8503320fe432d9f9f60c3c11104ab0895b32ee652b27c15fa8bfde0b9b64c2b353d61865fd4bb101

Download Submit
memory/1556-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1556-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2980-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download