17bb8d4545085bace996d4d0d18e88190971a13089e17ba1c8cdd21746db0d2c

Analysis

max time kernel
149s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1af0589313b5d33a65c970803e54cb9a.exe
Size

123KB
MD5

1af0589313b5d33a65c970803e54cb9a
SHA1

42735deb9b7f2306fe084a74de29b9038aeee665
SHA256

17bb8d4545085bace996d4d0d18e88190971a13089e17ba1c8cdd21746db0d2c
SHA512

cff71a9dcfb1d4bf15e948b9d192c798caec09bcbdacf56f78344924305c6754f64ec02610a8ddaade7a8a3eca24340a8d37adc733def3283d3d3c88b441d4f6
SSDEEP

3072:SKmfBpGzw3sqOp/OcXMVsAd/yEbSYXuDYUBRoIFZYov2v/:xmfBpzdsidFeff/ZYLv/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	1af0589313b5d33a65c970803e54cb9a.exe

Executes dropped EXE 1 IoCs

pid	Process
3216	2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\2.exe	1af0589313b5d33a65c970803e54cb9a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4992	3216	WerFault.exe	93

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4932	1af0589313b5d33a65c970803e54cb9a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 3216	4932	1af0589313b5d33a65c970803e54cb9a.exe	93
PID 4932 wrote to memory of 3216	4932	1af0589313b5d33a65c970803e54cb9a.exe	93
PID 4932 wrote to memory of 3216	4932	1af0589313b5d33a65c970803e54cb9a.exe	93

C:\Users\Admin\AppData\Local\Temp\1af0589313b5d33a65c970803e54cb9a.exe
"C:\Users\Admin\AppData\Local\Temp\1af0589313b5d33a65c970803e54cb9a.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\2.exe
  "C:\Windows\2.exe"
  2⤵
  - Executes dropped EXE
  PID:3216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 224
    3⤵
    - Program crash
    PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3216 -ip 3216
1⤵
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\2.exe

Filesize
114KB

MD5
e7f1aa4c2dc3575759f56a57702fca66

SHA1
2efb5e1c28cdde1cb4a7157b3bd2ec45897254ea

SHA256
9a6de1e0e0826d40c7275498a685dc714bb9873569a208a506208c9fbacc904c

SHA512
e4e3301f3347cf92aa5b88b6e51d9ccdb1135cdcc38a86d76720270503a4dc1161f8d7ba980d63fc3cb9b320fe171c52dbd191ae020a78edf62ccc066115d403

Download Submit
memory/3216-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3216-10-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4932-0-0x0000000000400000-0x0000000000421200-memory.dmp

Filesize
132KB

Download