7724c16afeb3bddfdbedf0a7843b16ab80ddcfafba737dac861faed35d844497

Analysis

max time kernel
133s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 10:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

15f34a9e6a8dd0742ee2aad12acae916.exe
Size

351KB
MD5

15f34a9e6a8dd0742ee2aad12acae916
SHA1

fa46aa7fce68b6fda2fd67aefba0f3d841db49bd
SHA256

7724c16afeb3bddfdbedf0a7843b16ab80ddcfafba737dac861faed35d844497
SHA512

eebfb372069c06b48076387da4f1e6462dfafa2e021de52fe2df0b2a338accce5209b8de4e82bc2dfba0a2ae4a1fd8f148bd0e411f763536e25a1bdf9c137fa6
SSDEEP

6144:cjb9VgzUI52L2qFDGzs301HEqJtFRoLpyW:nIb/Gzs3OHEqJHRoR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	15f34a9e6a8dd0742ee2aad12acae916.exe

Loads dropped DLL 1 IoCs

pid	Process
4620	15f34a9e6a8dd0742ee2aad12acae916.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 2380	4620	15f34a9e6a8dd0742ee2aad12acae916.exe	90
PID 4620 wrote to memory of 2380	4620	15f34a9e6a8dd0742ee2aad12acae916.exe	90
PID 4620 wrote to memory of 2380	4620	15f34a9e6a8dd0742ee2aad12acae916.exe	90

C:\Users\Admin\AppData\Local\Temp\15f34a9e6a8dd0742ee2aad12acae916.exe
"C:\Users\Admin\AppData\Local\Temp\15f34a9e6a8dd0742ee2aad12acae916.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" c:\e214d508-7503-4159-90b5-8e855a5ca971\start.hta
  2⤵
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\e214d508-7503-4159-90b5-8e855a5ca971\InstallerHelper.dll

Filesize
132KB

MD5
003adcaf370da993ebaafca58ad75f43

SHA1
b8f66c112f11fe54cb6c41fd34415041a3808753

SHA256
1ec86e9d659f6b245a5f8ab80dfa65eb6ba49c9cbf34796e8e0e4767d370f305

SHA512
54eb920cb20358d7e6c63503d00501807ee858871349552a2da68b73be1ab6da976f172ab4223adf030a16383d50da4cec1597fc3718b78c5337aa05746742c9

Download Submit
\??\c:\e214d508-7503-4159-90b5-8e855a5ca971\loader.gif

Filesize
1KB

MD5
e88ebd85dd56110ac6ea93fe0922988e

SHA1
684a31d864d33ff736234c41ac4e8d2c7f90d5ae

SHA256
379d1b0948f8e06366e7bcd197c848c0cc783787792f2224f98c16b974d920eb

SHA512
211b0760c9a887fc13c479617daeb6d5b6ee0ccd06c214967abd3e1f14204f72e34a6dd5eb778a9fc6ac7fc8bd63bdef80b347abab97becda16924cb3e164dc7

Download Submit
\??\c:\e214d508-7503-4159-90b5-8e855a5ca971\start.hta

Filesize
1KB

MD5
db4ada697fa7a0e215281533d52578e9

SHA1
fb755ea8371edf5065dc53e21eb413603f9eba7f

SHA256
f949fd6ca734830572128b4348dfd039419140c7ef501d80773f71ca3f0ed78c

SHA512
9ba1d2658785dd3c88b4399132f8330dc58872235e19ca9854b0e453d8cc7a58de0c8be84da376a72b5851073f531c95b2c6afa84f43053561ca8e6751d6e2f3

Download Submit