bb5f59ace38acbed87eb89972e461722182bf3a75dbe7dc9f7ddca47a9dbc747

Analysis

max time kernel
168s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d916f950f257216cf9e599d284c5623.exe
Size

7.0MB
MD5

2d916f950f257216cf9e599d284c5623
SHA1

7234fc3111db70d3e441030fd3aeee4022b66efa
SHA256

bb5f59ace38acbed87eb89972e461722182bf3a75dbe7dc9f7ddca47a9dbc747
SHA512

4d41243dfc17239b29e3c3a507fb3b7ad5617e455a2565b582273bc06a07142da12500e44b40c90f571e24ba5b1aaedacdb7fae69385bacb2ef5be8fee2337a9
SSDEEP

98304:DUodQVDPpCx223tXz7bUHXHxYhDgtFeGSj+giojcgZWBmswab5kaWSgWkNX83DEF:rmb4xr3tD8XHFeGS0ZBVwabawCNSIAju

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	2d916f950f257216cf9e599d284c5623.exe

Executes dropped EXE 2 IoCs

pid	Process
1780	7za.exe
1624	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1624	Setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 2928	4712	2d916f950f257216cf9e599d284c5623.exe	93
PID 4712 wrote to memory of 2928	4712	2d916f950f257216cf9e599d284c5623.exe	93
PID 4712 wrote to memory of 2928	4712	2d916f950f257216cf9e599d284c5623.exe	93
PID 2928 wrote to memory of 1780	2928	cmd.exe	94
PID 2928 wrote to memory of 1780	2928	cmd.exe	94
PID 2928 wrote to memory of 1780	2928	cmd.exe	94
PID 2928 wrote to memory of 1624	2928	cmd.exe	95
PID 2928 wrote to memory of 1624	2928	cmd.exe	95
PID 2928 wrote to memory of 1624	2928	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\2d916f950f257216cf9e599d284c5623.exe
"C:\Users\Admin\AppData\Local\Temp\2d916f950f257216cf9e599d284c5623.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\extract.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\7za.exe
    .\7za.exe e .\WebPlayerTV.7z -pjesuisadmin -y
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    .\Setup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads