db5281548b372ec5caaa911c1dc32a29234d19e3ab5761895a0d4e1dc85c3e2f

Analysis

max time kernel
138s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a91fc538517d83a23eaea041420dda5.exe
Size

3.4MB
MD5

0a91fc538517d83a23eaea041420dda5
SHA1

b93fafe10bd5d1b6d634676e5d0a441fc321d2e6
SHA256

db5281548b372ec5caaa911c1dc32a29234d19e3ab5761895a0d4e1dc85c3e2f
SHA512

79d4dfad493f27876bbfa11df000b8cb2544fa5e690cf225ed4154e849bfc24d8b44d3d203386825337a66a57b51dc87c8e725c6402e368cb1c2655dd144b2d1
SSDEEP

49152:QHQ+BBWZXrdqsSb+uSlYtZMM+UakLC5miuhoGntPfB8zF8QzwsXzC0YduCua8YHR:eQQqiI2hafAntuiQs90/ab5

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
62	1320	cmd.exe
65	1320	cmd.exe
67	1320	cmd.exe
71	1320	cmd.exe
91	1320	cmd.exe
92	1320	cmd.exe
93	1320	cmd.exe
108	1320	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	0a91fc538517d83a23eaea041420dda5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	tQL2ruw5M1TI1J.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQL2ruw5M1TI1J.exe	0a91fc538517d83a23eaea041420dda5.exe

Executes dropped EXE 2 IoCs

pid	Process
932	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
4140	tQL2ruw5M1TI1J.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe
1320	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 2724	5072	0a91fc538517d83a23eaea041420dda5.exe	88
PID 5072 wrote to memory of 2724	5072	0a91fc538517d83a23eaea041420dda5.exe	88
PID 5072 wrote to memory of 2724	5072	0a91fc538517d83a23eaea041420dda5.exe	88
PID 2724 wrote to memory of 932	2724	0a91fc538517d83a23eaea041420dda5.exe	99
PID 2724 wrote to memory of 932	2724	0a91fc538517d83a23eaea041420dda5.exe	99
PID 2724 wrote to memory of 932	2724	0a91fc538517d83a23eaea041420dda5.exe	99
PID 932 wrote to memory of 4140	932	tQL2ruw5M1TI1J.exe	101
PID 932 wrote to memory of 4140	932	tQL2ruw5M1TI1J.exe	101
PID 932 wrote to memory of 4140	932	tQL2ruw5M1TI1J.exe	101
PID 4140 wrote to memory of 1320	4140	tQL2ruw5M1TI1J.exe	102
PID 4140 wrote to memory of 1320	4140	tQL2ruw5M1TI1J.exe	102
PID 4140 wrote to memory of 1320	4140	tQL2ruw5M1TI1J.exe	102
PID 4140 wrote to memory of 1320	4140	tQL2ruw5M1TI1J.exe	102
PID 4140 wrote to memory of 1320	4140	tQL2ruw5M1TI1J.exe	102

C:\Users\Admin\AppData\Local\Temp\0a91fc538517d83a23eaea041420dda5.exe
"C:\Users\Admin\AppData\Local\Temp\0a91fc538517d83a23eaea041420dda5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\0a91fc538517d83a23eaea041420dda5.exe
  "C:\Users\Admin\AppData\Local\Temp\0a91fc538517d83a23eaea041420dda5.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQL2ruw5M1TI1J.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQL2ruw5M1TI1J.exe" "C:\Users\Admin\AppData\Local\Temp\0a91fc538517d83a23eaea041420dda5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQL2ruw5M1TI1J.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQL2ruw5M1TI1J.exe" "C:\Users\Admin\AppData\Local\Temp\0a91fc538517d83a23eaea041420dda5.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQL2ruw5M1TI1J.exe

Filesize
1007KB

MD5
5e2df315bec39cf78c608a4b762ddc16

SHA1
3238e0a707f1f81c6192247b926139bf5b834f12

SHA256
c6477a962cea3e76f2cc998cd28d0dfe45f93f072b48c3d633613c8a57be3db2

SHA512
ad3afa33a48f508ac88106fcf69f034a39b64017a3d5e52e7e63386339adacc918907a3cd175eddc78450c79b65e5c604772c4c3a06b3d94cc20ead9a98b38c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQL2ruw5M1TI1J.exe

Filesize
496KB

MD5
7864d385c43105d736f93bd75725a8f7

SHA1
429d8183d3607fe54e93f8bd9f14726c1721d07a

SHA256
90a685311d772a29f7d8714a066329049acc5fd138eee20dec6706c2ffbe9c7b

SHA512
36503214f8ecc75cd359f69618bec98a313dcfa80ca47924ff156a0c2cc79cb6547f3632a97961591d1cf0e8993da211e46d5db58af871a3b7ba977ee8770ce8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQL2ruw5M1TI1J.exe

Filesize
647KB

MD5
abc6fb045a07eceb25d375778628223f

SHA1
97036fb93882a01d0bbd4fd5c0cff566a7286041

SHA256
a7877587a877610dd38901ba3d355b18889b555c6a3959fb78c6c9c0f54564da

SHA512
b67319443ffbfb237180edef53bcf724da453b3b7e54a721236af5252f5e94f53f2733c6e04b030ac74626ea6beb7589ad631d1d7be8ddc43318e338472bc186

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQL2ruw5M1TI1J.exe

Filesize
974KB

MD5
fd8d01e30540ba4603f9a50e7a743ae9

SHA1
3891cc02a8866c9b236aef5a286bd744fea15d6e

SHA256
662da8eac06ddefc8983669ebfb3fd95a5354d4ab118ce69a325597b4da74eec

SHA512
32c644529469479caaaaa28dfbdc5cd071c825ff6bc9f6e2e42436e95ce6e2b258663eae121b3e0f9bd94f608447cd9f76b0e4ac8fac8510d9c67f9f9eaae810

Download Submit
memory/932-11-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/932-25-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1320-45-0x0000000005CC0000-0x0000000005D09000-memory.dmp

Filesize
292KB

Download
memory/1320-50-0x0000000005C90000-0x0000000005CB1000-memory.dmp

Filesize
132KB

Download
memory/1320-58-0x0000000008E70000-0x0000000009204000-memory.dmp

Filesize
3.6MB

Download
memory/1320-57-0x0000000006420000-0x00000000064C7000-memory.dmp

Filesize
668KB

Download
memory/1320-56-0x00000000094A0000-0x00000000096AB000-memory.dmp

Filesize
2.0MB

Download
memory/1320-55-0x0000000006160000-0x000000000621D000-memory.dmp

Filesize
756KB

Download
memory/1320-53-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/1320-54-0x0000000008E70000-0x0000000009204000-memory.dmp

Filesize
3.6MB

Download
memory/1320-51-0x00000000094A0000-0x00000000096AB000-memory.dmp

Filesize
2.0MB

Download
memory/1320-52-0x0000000006420000-0x00000000064C7000-memory.dmp

Filesize
668KB

Download
memory/1320-46-0x0000000001F30000-0x0000000001FCE000-memory.dmp

Filesize
632KB

Download
memory/1320-47-0x0000000006080000-0x00000000060FE000-memory.dmp

Filesize
504KB

Download
memory/1320-48-0x0000000006330000-0x000000000641A000-memory.dmp

Filesize
936KB

Download
memory/1320-49-0x0000000006160000-0x000000000621D000-memory.dmp

Filesize
756KB

Download
memory/1320-44-0x0000000001F30000-0x0000000001FCE000-memory.dmp

Filesize
632KB

Download
memory/1320-43-0x0000000001F30000-0x0000000001FCE000-memory.dmp

Filesize
632KB

Download
memory/1320-28-0x0000000001880000-0x0000000001919000-memory.dmp

Filesize
612KB

Download
memory/1320-42-0x0000000001F30000-0x0000000001FCE000-memory.dmp

Filesize
632KB

Download
memory/1320-31-0x0000000001F30000-0x0000000001FCE000-memory.dmp

Filesize
632KB

Download
memory/1320-33-0x0000000077742000-0x0000000077743000-memory.dmp

Filesize
4KB

Download
memory/1320-34-0x0000000077742000-0x0000000077743000-memory.dmp

Filesize
4KB

Download
memory/1320-36-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/1320-35-0x0000000077742000-0x0000000077743000-memory.dmp

Filesize
4KB

Download
memory/1320-37-0x0000000077742000-0x0000000077743000-memory.dmp

Filesize
4KB

Download
memory/1320-38-0x0000000077742000-0x0000000077743000-memory.dmp

Filesize
4KB

Download
memory/1320-39-0x0000000077742000-0x0000000077743000-memory.dmp

Filesize
4KB

Download
memory/1320-40-0x0000000077742000-0x0000000077743000-memory.dmp

Filesize
4KB

Download
memory/1320-41-0x0000000077742000-0x0000000077743000-memory.dmp

Filesize
4KB

Download
memory/2724-1-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2724-13-0x0000000000BF0000-0x0000000000C8E000-memory.dmp

Filesize
632KB

Download
memory/2724-2-0x0000000000BF0000-0x0000000000C8E000-memory.dmp

Filesize
632KB

Download
memory/2724-12-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4140-22-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4140-24-0x0000000077742000-0x0000000077743000-memory.dmp

Filesize
4KB

Download
memory/4140-26-0x0000000077742000-0x0000000077743000-memory.dmp

Filesize
4KB

Download
memory/4140-23-0x0000000077742000-0x0000000077743000-memory.dmp

Filesize
4KB

Download
memory/4140-30-0x0000000000A50000-0x0000000000AEE000-memory.dmp

Filesize
632KB

Download
memory/4140-21-0x0000000077742000-0x0000000077743000-memory.dmp

Filesize
4KB

Download
memory/4140-20-0x0000000077742000-0x0000000077743000-memory.dmp

Filesize
4KB

Download
memory/4140-19-0x0000000077742000-0x0000000077743000-memory.dmp

Filesize
4KB

Download
memory/4140-18-0x0000000000A50000-0x0000000000AEE000-memory.dmp

Filesize
632KB

Download
memory/4140-15-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4140-27-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/5072-16-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/5072-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download