48d6ab9e9deb2b1b278ccbdcd923ba5b4f3d6ff14f49cca4ed190c706ce21053

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

234ae080b7834ff4af76d1259da42432.exe
Size

105KB
MD5

234ae080b7834ff4af76d1259da42432
SHA1

db7f75a1ec1c7940b449fb77ac0b7a2fddc9de1a
SHA256

48d6ab9e9deb2b1b278ccbdcd923ba5b4f3d6ff14f49cca4ed190c706ce21053
SHA512

689adbe8cce56d03285c77d28e4204adf096ef2a05f4c641012e224757a21465282d3734ee326b4ca1234e73f48155f303fcd1b1f9583384a0d202ebe1cb7e20
SSDEEP

3072:SCXELNZ8Vt4QQCJIjUmtyx7Wj5gvTTv7nq9vtp:rX88VCkIjj+7uSrHq9vtp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	234ae080b7834ff4af76d1259da42432.exe

Executes dropped EXE 1 IoCs

pid	Process
5068	rb.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rb.exe	234ae080b7834ff4af76d1259da42432.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2132	5068	WerFault.exe	88

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1380	234ae080b7834ff4af76d1259da42432.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 5068	1380	234ae080b7834ff4af76d1259da42432.exe	88
PID 1380 wrote to memory of 5068	1380	234ae080b7834ff4af76d1259da42432.exe	88
PID 1380 wrote to memory of 5068	1380	234ae080b7834ff4af76d1259da42432.exe	88

C:\Users\Admin\AppData\Local\Temp\234ae080b7834ff4af76d1259da42432.exe
"C:\Users\Admin\AppData\Local\Temp\234ae080b7834ff4af76d1259da42432.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\rb.exe
  "C:\Windows\rb.exe"
  2⤵
  - Executes dropped EXE
  PID:5068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 228
    3⤵
    - Program crash
    PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5068 -ip 5068
1⤵
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rb.exe

Filesize
91KB

MD5
ea68903451b0a6f11921b8d80cd03926

SHA1
f56527ffb9a9655ea51ca850ed87b27ebe9f3486

SHA256
d87d13a2fddd1ed838fa9e14fc47e894d8f7fcb3f5301ceb52a125e79d6bcd97

SHA512
ab3718651468735b75fef3711b97a7b179ebd621bcb74723b4b72dc295668afabb383f065b80ad5174bcc6fb3376f23e49353cffb28cc65818ec70a8ed9108c9

Download Submit
memory/1380-0-0x0000000000400000-0x000000000041C200-memory.dmp

Filesize
112KB

Download
memory/5068-8-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5068-10-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download