c27a17d0ecd333aa1e08a2162020a317d25557e113ff70decedacfcf0ca2c3e8

Analysis

max time kernel
1s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ba0db033c249226b68206784b9fa0bc.exe
Size

3.7MB
MD5

3ba0db033c249226b68206784b9fa0bc
SHA1

65bad6473305b3418d13a98686c81166bc9c07d4
SHA256

c27a17d0ecd333aa1e08a2162020a317d25557e113ff70decedacfcf0ca2c3e8
SHA512

768eb2ec8421fa9894fbb750a842da329b6486d2d305a0046e1185d44f2dae985d86d9af8c65b291bb961e2a571c2089e0e0390578af46c7e33ff133ac34e693
SSDEEP

98304:CsembqxwNbYKdMBcUtwpX35U/qEhzKDqEz35HA9zIovKz3Kxy:bYBcUapn5U/qIzol3Cz0z6xy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	3ba0db033c249226b68206784b9fa0bc.exe

Executes dropped EXE 1 IoCs

pid	Process
868	2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\2.exe	3ba0db033c249226b68206784b9fa0bc.exe
File created	C:\Windows\1.wav	3ba0db033c249226b68206784b9fa0bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 868	4844	3ba0db033c249226b68206784b9fa0bc.exe	32
PID 4844 wrote to memory of 868	4844	3ba0db033c249226b68206784b9fa0bc.exe	32
PID 4844 wrote to memory of 868	4844	3ba0db033c249226b68206784b9fa0bc.exe	32

C:\Users\Admin\AppData\Local\Temp\3ba0db033c249226b68206784b9fa0bc.exe
"C:\Users\Admin\AppData\Local\Temp\3ba0db033c249226b68206784b9fa0bc.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\2.exe
  "C:\Windows\2.exe"
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Windows\1.wav"
  2⤵
  PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\2.exe

Filesize
64KB

MD5
4712561a4cbc5a40ee5060f5abad2d80

SHA1
e07482f4e8517cc75766bc364b3d85a3f9d28c5a

SHA256
6018a18b9055f03f62334f5a907fddbd40a60f791fe6fc269eab5aed245c83ad

SHA512
53e7812642d68caed40856cfcf8a10befc3da6e01edab16e06f8e3b11f373f1da9043bf04e2ca7b74f6aecc23567154112667faba0b9ad9f68d14b940308e057

Download Submit
memory/868-10-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/868-9-0x0000000000400000-0x0000000000B15000-memory.dmp

Filesize
7.1MB

Download
memory/868-17-0x0000000000400000-0x0000000000B15000-memory.dmp

Filesize
7.1MB

Download
memory/868-99-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/868-58-0x0000000000400000-0x0000000000B15000-memory.dmp

Filesize
7.1MB

Download
memory/4692-45-0x00007FFEBC8F0000-0x00007FFEBC914000-memory.dmp

Filesize
144KB

Download
memory/4692-41-0x00007FFEBCBE0000-0x00007FFEBCC4F000-memory.dmp

Filesize
444KB

Download
memory/4692-40-0x00007FFEBCC50000-0x00007FFEBCCB7000-memory.dmp

Filesize
412KB

Download
memory/4692-57-0x00007FFEBBA50000-0x00007FFEBBA66000-memory.dmp

Filesize
88KB

Download
memory/4692-56-0x00007FFEBBA70000-0x00007FFEBBA81000-memory.dmp

Filesize
68KB

Download
memory/4692-55-0x00007FFEBBA90000-0x00007FFEBBABF000-memory.dmp

Filesize
188KB

Download
memory/4692-54-0x00007FFED29E0000-0x00007FFED29F0000-memory.dmp

Filesize
64KB

Download
memory/4692-53-0x00007FFEBC450000-0x00007FFEBC467000-memory.dmp

Filesize
92KB

Download
memory/4692-52-0x00007FFEBC690000-0x00007FFEBC808000-memory.dmp

Filesize
1.5MB

Download
memory/4692-51-0x00007FFEBC810000-0x00007FFEBC823000-memory.dmp

Filesize
76KB

Download
memory/4692-50-0x00007FFEBC830000-0x00007FFEBC851000-memory.dmp

Filesize
132KB

Download
memory/4692-49-0x00007FFEBC860000-0x00007FFEBC872000-memory.dmp

Filesize
72KB

Download
memory/4692-48-0x00007FFEBC880000-0x00007FFEBC891000-memory.dmp

Filesize
68KB

Download
memory/4692-47-0x00007FFEBC8A0000-0x00007FFEBC8C3000-memory.dmp

Filesize
140KB

Download
memory/4692-46-0x00007FFEBC8D0000-0x00007FFEBC8E7000-memory.dmp

Filesize
92KB

Download
memory/4692-29-0x00007FFEBF3A0000-0x00007FFEBF3DF000-memory.dmp

Filesize
252KB

Download
memory/4692-44-0x00007FFEBC920000-0x00007FFEBC948000-memory.dmp

Filesize
160KB

Download
memory/4692-43-0x00007FFEBC950000-0x00007FFEBC9A6000-memory.dmp

Filesize
344KB

Download
memory/4692-42-0x00007FFEBC9B0000-0x00007FFEBC9C1000-memory.dmp

Filesize
68KB

Download
memory/4692-28-0x00007FFEBE0B0000-0x00007FFEBE2B0000-memory.dmp

Filesize
2.0MB

Download
memory/4692-39-0x00007FFEBCF30000-0x00007FFEBCF60000-memory.dmp

Filesize
192KB

Download
memory/4692-38-0x00007FFEBCF60000-0x00007FFEBCF78000-memory.dmp

Filesize
96KB

Download
memory/4692-37-0x00007FFEBCF80000-0x00007FFEBCF91000-memory.dmp

Filesize
68KB

Download
memory/4692-36-0x00007FFEBCFA0000-0x00007FFEBCFBB000-memory.dmp

Filesize
108KB

Download
memory/4692-35-0x00007FFEBCFC0000-0x00007FFEBCFD1000-memory.dmp

Filesize
68KB

Download
memory/4692-34-0x00007FFEBCFE0000-0x00007FFEBCFF1000-memory.dmp

Filesize
68KB

Download
memory/4692-33-0x00007FFEBF1B0000-0x00007FFEBF1C1000-memory.dmp

Filesize
68KB

Download
memory/4692-32-0x00007FFEBF1D0000-0x00007FFEBF1E8000-memory.dmp

Filesize
96KB

Download
memory/4692-31-0x00007FFEBF370000-0x00007FFEBF391000-memory.dmp

Filesize
132KB

Download
memory/4692-30-0x00007FFEBD000000-0x00007FFEBE0AB000-memory.dmp

Filesize
16.7MB

Download
memory/4692-26-0x00007FFEC4720000-0x00007FFEC473D000-memory.dmp

Filesize
116KB

Download
memory/4692-25-0x00007FFEC4740000-0x00007FFEC4751000-memory.dmp

Filesize
68KB

Download
memory/4692-24-0x00007FFEC4CA0000-0x00007FFEC4CB7000-memory.dmp

Filesize
92KB

Download
memory/4692-23-0x00007FFECD2F0000-0x00007FFECD301000-memory.dmp

Filesize
68KB

Download
memory/4692-22-0x00007FFECD310000-0x00007FFECD327000-memory.dmp

Filesize
92KB

Download
memory/4692-21-0x00007FFECD330000-0x00007FFECD348000-memory.dmp

Filesize
96KB

Download
memory/4692-20-0x00007FFEBE2B0000-0x00007FFEBE564000-memory.dmp

Filesize
2.7MB

Download
memory/4692-19-0x00007FFECD350000-0x00007FFECD384000-memory.dmp

Filesize
208KB

Download
memory/4692-27-0x00007FFEC4700000-0x00007FFEC4711000-memory.dmp

Filesize
68KB

Download
memory/4692-18-0x00007FF78F480000-0x00007FF78F578000-memory.dmp

Filesize
992KB

Download