a48a96aa8fe71e15a30812e6477174b0627f1eca2f278b7bb23da9dc4228fe2e

Analysis

max time kernel
156s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25d67f156a748180c66e7eff82406140.exe
Size

22KB
MD5

25d67f156a748180c66e7eff82406140
SHA1

71737f06eedfbf6f9223c6dc5f596381e4d52340
SHA256

a48a96aa8fe71e15a30812e6477174b0627f1eca2f278b7bb23da9dc4228fe2e
SHA512

0ce30302c9436279143595bcdaa046f0fa37ff6f315d5add052e77df27de9ffe2e1a6f13ba79551a27b9d0a0472f57acbc00224f003c58fbdbbcbef93894bbf4
SSDEEP

384:1hngLIvXM0yfYzSEbXjFrn06xtYqRRonoUJiOSdAI3F:1+qyfsSsF70QOoUJXSf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	25d67f156a748180c66e7eff82406140.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2624	25d67f156a748180c66e7eff82406140.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 756	2624	25d67f156a748180c66e7eff82406140.exe	97
PID 2624 wrote to memory of 756	2624	25d67f156a748180c66e7eff82406140.exe	97
PID 2624 wrote to memory of 756	2624	25d67f156a748180c66e7eff82406140.exe	97

C:\Users\Admin\AppData\Local\Temp\25d67f156a748180c66e7eff82406140.exe
"C:\Users\Admin\AppData\Local\Temp\25d67f156a748180c66e7eff82406140.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\25D67F~1.EXE > nul
  2⤵
  PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1296964503

Filesize
1KB

MD5
0b1cd114b167a6c0cd7d896ee0fc0233

SHA1
05d94767c1502e39461cb33b2888a0d8163684f7

SHA256
a67219b74655e4fa4cc0afe9b039133647dee6a0ead0436b18c4b19d8a5a9f5c

SHA512
e7ef02fd69e370457071201e74b859ff5702e36382660a1cc5b20f34674a29d76d0e2be478cd248105b03f522e1ec8fa847b022074e81518ed9bbf91b74cbb6d

Download Submit
memory/2624-0-0x0000000000490000-0x0000000000494000-memory.dmp

Filesize
16KB

Download
memory/2624-1-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2624-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2624-82-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download