02b2a8201bb91c5f0c9f7518e60551dc0853ffd34c5adc112ed855dc541fe25d

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25523720c841da553362207c150413b0.exe
Size

73KB
MD5

25523720c841da553362207c150413b0
SHA1

6ec8c9a59fb7a7998ff5edf6336e039d697b269c
SHA256

02b2a8201bb91c5f0c9f7518e60551dc0853ffd34c5adc112ed855dc541fe25d
SHA512

422463018a667f7d0e0009c3bab7df41deec885f731f72a241344d309b691f18f472e31210d6730c6fb0aa80f930f903a9a637083ea3b8d2ae36b397c7083792
SSDEEP

1536:zmj69PGuFELh3YOJW9dLJMrp9gQbsZQgtGqOTa:zmj65PEZJYtJM/aXGqca

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	25523720c841da553362207c150413b0.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	pinch.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ipdbrute_1.5.191.exe	25523720c841da553362207c150413b0.exe
File opened for modification	C:\Windows\ipdbrute_1.5.191.exe	25523720c841da553362207c150413b0.exe
File created	C:\Windows\pinch.exe	25523720c841da553362207c150413b0.exe
File opened for modification	C:\Windows\pinch.exe	25523720c841da553362207c150413b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 2736	3256	25523720c841da553362207c150413b0.exe	26
PID 3256 wrote to memory of 2736	3256	25523720c841da553362207c150413b0.exe	26
PID 3256 wrote to memory of 2736	3256	25523720c841da553362207c150413b0.exe	26

C:\Users\Admin\AppData\Local\Temp\25523720c841da553362207c150413b0.exe
"C:\Users\Admin\AppData\Local\Temp\25523720c841da553362207c150413b0.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\pinch.exe
  "C:\Windows\pinch.exe"
  2⤵
  - Executes dropped EXE
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\pinch.exe

Filesize
22KB

MD5
76aa00635c3ebbe20b6d69e790fe4634

SHA1
d791d38d88e91baf55861cac88354c93768e7b1a

SHA256
9e85c66d986ad6dbd2fad174ae88ef2a483a11599c7e5a58f2d36b597f3707fa

SHA512
5464925b6b0b9c3a0d36edfcf8327957f3c506091fe6647bd5b6806bc8a5c4eb0c07dfbca8b1a303b67e4adc52cb6cdc64b0d02157dcbbd7adffb1f73a97edce

Download Submit
memory/2736-12-0x0000000013140000-0x000000001317B000-memory.dmp

Filesize
236KB

Download
memory/3256-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download