e8761a2580f6fd93efe25e688e51aae28078923459aa03a6866e11959b516612

Analysis

max time kernel
153s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d23e9731770f2e6807d4ee80bcbfefc.exe
Size

124KB
MD5

3d23e9731770f2e6807d4ee80bcbfefc
SHA1

08d8710e5a7f6e08f750bb683053362dc1ce8d47
SHA256

e8761a2580f6fd93efe25e688e51aae28078923459aa03a6866e11959b516612
SHA512

92eabebd2dc3cdcb71003805173d03db06e620918ec3f460983884816c303e0805cfb6e0da1ad3dc11c534fbcde5dad813b2fb5442239582a39d5f7746bda90c
SSDEEP

3072:SHuAbDp/7uv/ATQPFzKfwsHjrw0b4B6WAz62W7QnJyR7GEXsT:vAbD5CH1zKfwsXwG2PbmnIAw2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	3d23e9731770f2e6807d4ee80bcbfefc.exe

Executes dropped EXE 1 IoCs

pid	Process
3088	2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\2.exe	3d23e9731770f2e6807d4ee80bcbfefc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1928	3d23e9731770f2e6807d4ee80bcbfefc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 3088	1928	3d23e9731770f2e6807d4ee80bcbfefc.exe	90
PID 1928 wrote to memory of 3088	1928	3d23e9731770f2e6807d4ee80bcbfefc.exe	90
PID 1928 wrote to memory of 3088	1928	3d23e9731770f2e6807d4ee80bcbfefc.exe	90

C:\Users\Admin\AppData\Local\Temp\3d23e9731770f2e6807d4ee80bcbfefc.exe
"C:\Users\Admin\AppData\Local\Temp\3d23e9731770f2e6807d4ee80bcbfefc.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\2.exe
  "C:\Windows\2.exe"
  2⤵
  - Executes dropped EXE
  PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\2.exe

Filesize
115KB

MD5
10570e62dde13a7045111510304bc3c5

SHA1
ce631a1559c2fc56e940d034c7b5ba5804fbdf08

SHA256
49b35bff979169b2c8c6b63c04da3a37b866e7f3ace3b1080b1a43b0719d3f4a

SHA512
143e25c54369b319c7b7d66e1bfa635c7dae0373d8389fcaea77d86468fa342048f5bce2c9cf453ec476121b1a79729504b0bcf0ce2e8bef62b0ca040b1b134a

Download Submit
memory/1928-0-0x0000000000400000-0x0000000000421200-memory.dmp

Filesize
132KB

Download
memory/3088-9-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3088-10-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download