437d6e791269d2964b3afd9783ce74a4e03a9d69c3c78b02116055066d076092

Analysis

max time kernel
166s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e09d06a6c9654b059dab4a5a03fc005.exe
Size

508KB
MD5

1e09d06a6c9654b059dab4a5a03fc005
SHA1

6871276a089a443d06209b3ee7c3b84cf930b3a9
SHA256

437d6e791269d2964b3afd9783ce74a4e03a9d69c3c78b02116055066d076092
SHA512

eedb916885cbc649b99d53ec766cededb28abdf346b82b311d5dc94e91ae226b05b1f93dd6f2fe1f57d083ced368b30eee50cc9236376a89eaa1691ae56f4d66
SSDEEP

6144:dck18MipfIUaQYu8tbS6JBcj0U5hjX/Tvf8MJYFW8jb/HFbdsifRe9+cH:dX8Djadu8J4YSjX/THmxrlbBGHH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	1e09d06a6c9654b059dab4a5a03fc005.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2444	1832	1e09d06a6c9654b059dab4a5a03fc005.exe	97
PID 1832 wrote to memory of 2444	1832	1e09d06a6c9654b059dab4a5a03fc005.exe	97
PID 1832 wrote to memory of 2444	1832	1e09d06a6c9654b059dab4a5a03fc005.exe	97

C:\Users\Admin\AppData\Local\Temp\1e09d06a6c9654b059dab4a5a03fc005.exe
"C:\Users\Admin\AppData\Local\Temp\1e09d06a6c9654b059dab4a5a03fc005.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\fwtA109.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\1e09d06a6c9654b059dab4a5a03fc005.exe""
  2⤵
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fwtA109.tmp.bat

Filesize
34B

MD5
fed93e4ac6b70ddba94c19b7a05063b9

SHA1
a4ac7c2375baefa39342ae74c777139e1d0cb63e

SHA256
9d1d34d67b3d160e109f646a3d72653e1a074dbce2f80bf1b205f6d97605d4d0

SHA512
0e25e3c48e62ac7d77f88a4aca17782c298f759d33eb9968f9552d2585f582bb1d99a518a2f2c46d6fe7a7680143027fcdbeb5a9e6e8a9cd35935cdc5f060688

Download Submit
memory/1832-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1832-1-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1832-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1832-3-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1832-4-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1832-5-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1832-6-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1832-9-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download