e27b1dbc760f4a0b0dc7396c9f94c9b39fe580b6d0e5edd8d863adbb1d3a38ad

Analysis

max time kernel
175s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d92aea3c81a64cbf3b633c2a495c59f.exe
Size

308KB
MD5

0d92aea3c81a64cbf3b633c2a495c59f
SHA1

6fc112eea209c257b140d84bc08b670edca3787b
SHA256

e27b1dbc760f4a0b0dc7396c9f94c9b39fe580b6d0e5edd8d863adbb1d3a38ad
SHA512

7f4b3cdad7a836fdbe42b31bfb06ab2269e58f520805a98011c7135bdf416e5c6f0a6695c9602a6604e15e6c7e969dac4db794411bdc0b02ef36e421378869cb
SSDEEP

3072:rR0+5acGnGyfB7leluYuaoz2z6wSb43rknmLr1i1JGZs49koDvjvGPhNjlPtqWuW:NiGmkV3XGQOJVIvzBWurIvz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	0d92aea3c81a64cbf3b633c2a495c59f.exe

Executes dropped EXE 1 IoCs

pid	Process
1224	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1224	explorer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 1224	412	0d92aea3c81a64cbf3b633c2a495c59f.exe	91
PID 412 wrote to memory of 1224	412	0d92aea3c81a64cbf3b633c2a495c59f.exe	91
PID 412 wrote to memory of 1224	412	0d92aea3c81a64cbf3b633c2a495c59f.exe	91

C:\Users\Admin\AppData\Local\Temp\0d92aea3c81a64cbf3b633c2a495c59f.exe
"C:\Users\Admin\AppData\Local\Temp\0d92aea3c81a64cbf3b633c2a495c59f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:412
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe" -r NewRunExe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
288KB

MD5
e5db78d20b20145570960f484870039c

SHA1
bbb8276557a23153a38069b6e4b9d1f2aaa1de2b

SHA256
e8f122e2df8578bf05c6d0849288852d217ef48963d3b2e631792b002bc807a1

SHA512
20f3491a8631f20f84a83fbd1ecb289518d17d55b84e478c50fbfd6bf2e9d94a4a5e51cdd1bc065245af5957943f668adaecddb17f45b8851d180856153b9a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
308KB

MD5
0d92aea3c81a64cbf3b633c2a495c59f

SHA1
6fc112eea209c257b140d84bc08b670edca3787b

SHA256
e27b1dbc760f4a0b0dc7396c9f94c9b39fe580b6d0e5edd8d863adbb1d3a38ad

SHA512
7f4b3cdad7a836fdbe42b31bfb06ab2269e58f520805a98011c7135bdf416e5c6f0a6695c9602a6604e15e6c7e969dac4db794411bdc0b02ef36e421378869cb

Download Submit