27e1ad7e5df8b547ab69367b629661af0cd4b8386aa4d7d4cf05816d8b3e68ba

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0db271959c6498e6ac93f42f70edd7fd.exe
Size

78KB
MD5

0db271959c6498e6ac93f42f70edd7fd
SHA1

0ee7c3e155b3aa1c8a2755524a074e5e9d27c460
SHA256

27e1ad7e5df8b547ab69367b629661af0cd4b8386aa4d7d4cf05816d8b3e68ba
SHA512

9d99d2823c2290d5c45da426b81dc551ae8fbdcd1e36ef30d255b0dedd9d4e2469e83ce904e07b496250e47b13e0c2f4ab1298dd6d1411df4d640ad5fa7821ac
SSDEEP

1536:RR8jgVoGs8pQjci3Qi6mDfq+TKsySfizW7KsdN36M/w6YZ8:YjasFgi3pySay7KS/w58

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	0db271959c6498e6ac93f42f70edd7fd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	0db271959c6498e6ac93f42f70edd7fd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2912	1648	0db271959c6498e6ac93f42f70edd7fd.exe	91
PID 1648 wrote to memory of 2912	1648	0db271959c6498e6ac93f42f70edd7fd.exe	91
PID 1648 wrote to memory of 2912	1648	0db271959c6498e6ac93f42f70edd7fd.exe	91

C:\Users\Admin\AppData\Local\Temp\0db271959c6498e6ac93f42f70edd7fd.exe
"C:\Users\Admin\AppData\Local\Temp\0db271959c6498e6ac93f42f70edd7fd.exe"
1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Wpf..bat" > nul 2> nul
  2⤵
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wpf..bat

Filesize
210B

MD5
d6ee1140aa8be30cf602b3a7c04db323

SHA1
363d1e05d003ca59c3f5170f7fddc87deece2ec0

SHA256
9e7f52d44671255051309e4021d40e4b690e4d48d82e2a729adbb5ebde77f726

SHA512
f2f780d1066fce6fa1e4b336de1a3943a575e67d2ea894a66d85a2c7a1d7232cb017bd6ec9ed7eebe8fc3479cd9d237f2ac7f2646055bfaa7461cfd7b454b2a9

Download Submit
memory/1648-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1648-1-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1648-2-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1648-3-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1648-5-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads