64fad3125a2935a599ef92bfe20e8084f591430725037cc9e313ed0f3cc2cdaf

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

368c75103bd996e4ef887e6495b77277.exe
Size

112KB
MD5

368c75103bd996e4ef887e6495b77277
SHA1

e8f48bc6810d9df03923ecb338f807e1aa2a10e8
SHA256

64fad3125a2935a599ef92bfe20e8084f591430725037cc9e313ed0f3cc2cdaf
SHA512

6c09b540ee1fc7206bad2a509e1480221c1a23e621c12e590c8f27729df5438da0b9781876103a811552491d407ff697a679f2a3fa246668b3b9df4c34ade6e1
SSDEEP

3072:Jc+3rRP720NgOYddi8x4q/d98s6GbDKQjKo:i+31P7lNIdEKd9x6G6e

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	368c75103bd996e4ef887e6495b77277.exe

Executes dropped EXE 1 IoCs

pid	Process
2124	tt.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\tt.exe	368c75103bd996e4ef887e6495b77277.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3812	368c75103bd996e4ef887e6495b77277.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 2124	3812	368c75103bd996e4ef887e6495b77277.exe	91
PID 3812 wrote to memory of 2124	3812	368c75103bd996e4ef887e6495b77277.exe	91
PID 3812 wrote to memory of 2124	3812	368c75103bd996e4ef887e6495b77277.exe	91

C:\Users\Admin\AppData\Local\Temp\368c75103bd996e4ef887e6495b77277.exe
"C:\Users\Admin\AppData\Local\Temp\368c75103bd996e4ef887e6495b77277.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\tt.exe
  "C:\Windows\tt.exe"
  2⤵
  - Executes dropped EXE
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tt.exe

Filesize
106KB

MD5
b51dbfae35682310c477747aae69ff0b

SHA1
156edd5af5ca0d0f57a54c7b971afe4bde5d7846

SHA256
536ac5ad35cb0e6b326be820e9e0bbb503712f59b32952db7a37671b834ac8c2

SHA512
cecf3189b808cbd1c766e7d7edc617e3a23217d1e1642648c8bb593a2fb4b0cdff0909063306ebf567614d261655b036eb4d5833d483b4560e7b8357b4cdd577

Download Submit
C:\Windows\tt.exe

Filesize
75KB

MD5
74e68ca7ede7314cc1b2a35286e18659

SHA1
a436c7278ed255947b7de6cd5b9e5b96c7c83180

SHA256
c005f2bb45e913689fb348b3f23e8ac2ea1a5211eca48213544b8a1fa0bc42a1

SHA512
2c05af4ec0070fa2eb6b245915ac9647e1357a67de6a75e994cd379ac3fc0fbc407f52b6655d2a939307d37d2fec386483e0bcf96ee3a18699da9e8ca69623ca

Download Submit
memory/2124-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3812-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download