bd2f06abacbf182f29f082f8a26e2d46239d86fc6e9843dcecb58ac24de48247

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

134ba878f849c6483f46670e4064d3de.exe
Size

2.3MB
MD5

134ba878f849c6483f46670e4064d3de
SHA1

d07ccba56d24947e4d6366d291dbfa6054731278
SHA256

bd2f06abacbf182f29f082f8a26e2d46239d86fc6e9843dcecb58ac24de48247
SHA512

f98f16497a61785a6f52a341879d39a84eda61b907ea038a4ce393d83b0c5286c14ec77384c0a86eb7861d6829b95953ac5046d731f297935dea05116a2f164f
SSDEEP

49152:1c//////imKXdpRqPTJtJ5xVZyu9P33DLca6eI3rHq6G8Pw7nXsYY5nqzfsLLd:1c//////imKrRqP9tnoCP3zm3TqqPYID

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4740	´«ÆæÍâ´«.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	5112	7zFM.exe
Token: 35	5112	7zFM.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5112	7zFM.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2056	2876	134ba878f849c6483f46670e4064d3de.exe	89
PID 2876 wrote to memory of 2056	2876	134ba878f849c6483f46670e4064d3de.exe	89
PID 2876 wrote to memory of 2056	2876	134ba878f849c6483f46670e4064d3de.exe	89
PID 2876 wrote to memory of 2804	2876	134ba878f849c6483f46670e4064d3de.exe	91
PID 2876 wrote to memory of 2804	2876	134ba878f849c6483f46670e4064d3de.exe	91
PID 2876 wrote to memory of 2804	2876	134ba878f849c6483f46670e4064d3de.exe	91
PID 2056 wrote to memory of 4740	2056	cmd.exe	93
PID 2056 wrote to memory of 4740	2056	cmd.exe	93
PID 2056 wrote to memory of 4740	2056	cmd.exe	93
PID 2804 wrote to memory of 5112	2804	cmd.exe	94
PID 2804 wrote to memory of 5112	2804	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\134ba878f849c6483f46670e4064d3de.exe
"C:\Users\Admin\AppData\Local\Temp\134ba878f849c6483f46670e4064d3de.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\´«ÆæÍâ´«.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\´«ÆæÍâ´«.exe
    C:\´«ÆæÍâ´«.exe
    3⤵
    - Executes dropped EXE
    PID:4740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\´«ÆæÍâ´«Íâ¹Ò.rar"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\´«ÆæÍâ´«Íâ¹Ò.rar"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\´«ÆæÍâ´«Íâ¹Ò.rar

Filesize
2.3MB

MD5
e612862ff52d8c47d8bc11cf0ed98f3b

SHA1
e06bdce11b75564ed1a000869ff1e46eb0e30917

SHA256
e867863987777b6c0c9e1a4fbbc52490894310fb419b7b33d2f31433a30fcbad

SHA512
33a28e3b883e87c151aca1e09054b79b17c70fa7d024659f060feb8e40ff233101d3c2158c8ebcea72ed6fad530a3f2f127f4b4997cda860ba8c5fc2f33ddf45

Download Submit
C:\´«ÆæÍâ´«.exe

Filesize
17KB

MD5
d1bb9f3297769495a7af10f1ac2f192e

SHA1
3620a6d347fbc74bcce81c89121b519e90a28947

SHA256
88d1d3678842814faaa5048061cfe9259185a1db2901d7b34e1e677510b068be

SHA512
66114bfd9ecc30d1c42c91d7a4e53924843519acafe8bf774ee41a21a9b62b0ee9c0384fc44859d258d1fd7880fa2c2cd5d8c32fd5119cd47e34368e344d4abe

Download Submit
memory/2876-2-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download