1ac7beaa0a06a5b69e1ccc706030ddd4d675248f5e54fa150849908e158e2111

Analysis

max time kernel
189s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16c1182bbf3efe14caa8452d67a6e313.exe
Size

370KB
MD5

16c1182bbf3efe14caa8452d67a6e313
SHA1

6d5cc4018d63b374fc0b0000d9c5b622ae646a51
SHA256

1ac7beaa0a06a5b69e1ccc706030ddd4d675248f5e54fa150849908e158e2111
SHA512

f6796d9d1f0d317169256346216ebd107b537908e0af0890414d0d8e0aa6045790d310199e2cca631986aa6e6b14b63b8c523c8c257b483591a75c2d276b8e74
SSDEEP

6144:YWMU84YndcRsn2g8VcYXFQx66iPEXBPkubylI2oF7g4boZxnGPaFYMl+:DOdOsnBUcMZpPqtkuG+dbaFpFYC+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	16c1182bbf3efe14caa8452d67a6e313.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 4668	372	16c1182bbf3efe14caa8452d67a6e313.exe	92
PID 372 wrote to memory of 4668	372	16c1182bbf3efe14caa8452d67a6e313.exe	92
PID 372 wrote to memory of 4668	372	16c1182bbf3efe14caa8452d67a6e313.exe	92
PID 372 wrote to memory of 4224	372	16c1182bbf3efe14caa8452d67a6e313.exe	94
PID 372 wrote to memory of 4224	372	16c1182bbf3efe14caa8452d67a6e313.exe	94
PID 372 wrote to memory of 4224	372	16c1182bbf3efe14caa8452d67a6e313.exe	94

C:\Users\Admin\AppData\Local\Temp\16c1182bbf3efe14caa8452d67a6e313.exe
"C:\Users\Admin\AppData\Local\Temp\16c1182bbf3efe14caa8452d67a6e313.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\KaspAVP3.exe"
  2⤵
  PID:4668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avp.bat" "
  2⤵
  PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avp.bat

Filesize
231B

MD5
56b590d4295a14a1fc4e39ff0db9ff08

SHA1
b2db1c194a33d4b41792e283c55861d25993beea

SHA256
dab4ceee28064b7e591acf0093c73ee0fadb7e06ac9609349beac51f5d800e83

SHA512
f62e1811f5d74b4ffa41e5f555881e16cd6f9392aee706479f4a0a0480df4083b3a5c76208e261da2efa55455f95b07e269f13c30d99e9963bdc1c45b00315ca

Download Submit
memory/372-0-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/372-1-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/372-6-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download