2446b680edb5caaa4b39ee583142762e9afb985757134adbea3359dc0bc84026

Analysis

max time kernel
1s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1baff2586d1113436212d365867e83ff.exe
Size

359KB
MD5

1baff2586d1113436212d365867e83ff
SHA1

8f6858ed38d2e474357db7c7a222a6c2793d9864
SHA256

2446b680edb5caaa4b39ee583142762e9afb985757134adbea3359dc0bc84026
SHA512

ea1480168df9c0d5c388da5f5e10066861a96c0d9908004c2ff841ad056febf015055d0531d45a3669dd6cfa08229b50b254ef9f5f04d3d415a58a0f2fc5242d
SSDEEP

6144:lV2+8BAShhoMcLx9H2H94k36+UyznYlhGgaTqx:Lq/qMc19H2d4hQDeth

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	1baff2586d1113436212d365867e83ff.exe

Loads dropped DLL 1 IoCs

pid	Process
4572	1baff2586d1113436212d365867e83ff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 836	4572	1baff2586d1113436212d365867e83ff.exe	37
PID 4572 wrote to memory of 836	4572	1baff2586d1113436212d365867e83ff.exe	37
PID 4572 wrote to memory of 836	4572	1baff2586d1113436212d365867e83ff.exe	37

C:\Users\Admin\AppData\Local\Temp\1baff2586d1113436212d365867e83ff.exe
"C:\Users\Admin\AppData\Local\Temp\1baff2586d1113436212d365867e83ff.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" c:\ccbd1166-7da2-46f1-a191-f286690f872d\start.hta
  2⤵
  PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ccbd1166-7da2-46f1-a191-f286690f872d\InstallerHelper.dll

Filesize
9KB

MD5
e4b3d890401167138a8869ce9fb494ad

SHA1
a9d000b0312d41a5f396792f77494e970e6c39d8

SHA256
66b08fc9562f6afe5992b30a5953972dd0bc57e5f5325bb0f93822d35fcc769e

SHA512
0ddb6a596344f0e934a871bdb3c26ea2c39c6cf843eb5ea8979154380fe448fae01d80dcf3d0854ee3e1b254288e91e8cd1ce4c430045a7cd983ee88d7153f84

Download Submit
C:\ccbd1166-7da2-46f1-a191-f286690f872d\InstallerHelper.dll

Filesize
18KB

MD5
9b0f65f9ef76257580de24b957bcea8b

SHA1
5687a3163c03089fc61aa756a413025e0eec60de

SHA256
074bd5b66594007a1832690a981c0a942d06935878b20e6c3aab3f27a7aa9332

SHA512
af7675043d7581601b2e0ee7a4a74c18e59bd38e83e0d5a78b186f917a1c085187b6316531910eed350e805912e32f2544d02c5c7f95ce455e34f0cbc83bb408

Download Submit
\??\c:\ccbd1166-7da2-46f1-a191-f286690f872d\loader.gif

Filesize
1KB

MD5
e88ebd85dd56110ac6ea93fe0922988e

SHA1
684a31d864d33ff736234c41ac4e8d2c7f90d5ae

SHA256
379d1b0948f8e06366e7bcd197c848c0cc783787792f2224f98c16b974d920eb

SHA512
211b0760c9a887fc13c479617daeb6d5b6ee0ccd06c214967abd3e1f14204f72e34a6dd5eb778a9fc6ac7fc8bd63bdef80b347abab97becda16924cb3e164dc7

Download Submit
\??\c:\ccbd1166-7da2-46f1-a191-f286690f872d\start.hta

Filesize
1KB

MD5
db4ada697fa7a0e215281533d52578e9

SHA1
fb755ea8371edf5065dc53e21eb413603f9eba7f

SHA256
f949fd6ca734830572128b4348dfd039419140c7ef501d80773f71ca3f0ed78c

SHA512
9ba1d2658785dd3c88b4399132f8330dc58872235e19ca9854b0e453d8cc7a58de0c8be84da376a72b5851073f531c95b2c6afa84f43053561ca8e6751d6e2f3

Download Submit