5c56fc1ca2f777f59d8bb717437c594a5f7887f97e238c2ace20b8baf5bd1dd5

Analysis

max time kernel
153s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1536f029eee015deb667ff19244a6136.exe
Size

73KB
MD5

1536f029eee015deb667ff19244a6136
SHA1

4d49a5a2a0f641f52dfd01867d0c957b7233c78e
SHA256

5c56fc1ca2f777f59d8bb717437c594a5f7887f97e238c2ace20b8baf5bd1dd5
SHA512

3f649ee84885e6dea813de94c416821a8515c58214986a264c8228467877f52fd919f64bd68fe2b86fed5fdc9863ae5ee10dcf8c8054db95982600e36b20d4b6
SSDEEP

768:w4W1+KhWjmS7+w5/boHCAP3bOKehbzimqxUbUMbLQaFA5q+NT0S:XsBh4d56P3bO9zd50csq+mS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	1536f029eee015deb667ff19244a6136.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	1536f029eee015deb667ff19244a6136.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 440	1148	1536f029eee015deb667ff19244a6136.exe	91
PID 1148 wrote to memory of 440	1148	1536f029eee015deb667ff19244a6136.exe	91
PID 1148 wrote to memory of 440	1148	1536f029eee015deb667ff19244a6136.exe	91
PID 1148 wrote to memory of 4540	1148	1536f029eee015deb667ff19244a6136.exe	97
PID 1148 wrote to memory of 4540	1148	1536f029eee015deb667ff19244a6136.exe	97
PID 1148 wrote to memory of 4540	1148	1536f029eee015deb667ff19244a6136.exe	97

C:\Users\Admin\AppData\Local\Temp\1536f029eee015deb667ff19244a6136.exe
"C:\Users\Admin\AppData\Local\Temp\1536f029eee015deb667ff19244a6136.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\×èò.txt
  2⤵
  PID:440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\1536f029eee015deb667ff19244a6136.exe" >> NUL
  2⤵
  PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\×èò.txt

Filesize
124B

MD5
fb09ea925526813888b9f9be6c6c6b77

SHA1
047a3bf2f74349ee659d2164276ca6bc11cffd66

SHA256
1d280f1d5e85a39ce9b04dfbd58c1d0102d20b5bac6496950f421908c7129b21

SHA512
3fc81ed7ddf29c1636c9e051f8d8e579e72dd5f5c403d2156c166fc4f569367d7163418f34571511686d9db6e9c61c20f4a8a3cf9478d74bc73a27bdd7e36343

Download Submit
memory/1148-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1148-4-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download