ef99a1844cbf354868a70cdcc2584ec94ffceafc4ffcd3a6b5563fa1d632844e

Analysis

max time kernel
0s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16b51224239d3671b1af3e8f2656a2ad1e7f5fb9acb09111a95461338a841b49.exe
Size

207KB
MD5

8d0a312773a8475e499b7f879cfe8ece
SHA1

7aa2568f464780f85dafd385a6ff82d79ea6379f
SHA256

16b51224239d3671b1af3e8f2656a2ad1e7f5fb9acb09111a95461338a841b49
SHA512

a7cbd19806e8832ef687ccf01debf3db4c0afb9e631379e2200c7da5144fd40146508b2c9685bddadf620491bff5f30f910ab0d6c900fc34bfb0893dcd78d953
SSDEEP

3072:5M+lmsolAIrRuw+mqv9j1MWLQBexM+lmsolAIrRuw+mqv9j1MWLQ:S+lDAAYx+lDAA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

16b51224239d3671b1af3e8f2656a2ad1e7f5fb9acb09111a95461338a841b49.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	16b51224239d3671b1af3e8f2656a2ad1e7f5fb9acb09111a95461338a841b49.exe

Executes dropped EXE 1 IoCs

Processes:

ex3t.exe

pid process

4240 ex3t.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4240	ex3t.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

16b51224239d3671b1af3e8f2656a2ad1e7f5fb9acb09111a95461338a841b49.exe

description	pid	process	target process
PID 2108 wrote to memory of 4240	2108	16b51224239d3671b1af3e8f2656a2ad1e7f5fb9acb09111a95461338a841b49.exe	ex3t.exe
PID 2108 wrote to memory of 4240	2108	16b51224239d3671b1af3e8f2656a2ad1e7f5fb9acb09111a95461338a841b49.exe	ex3t.exe

C:\Users\Admin\AppData\Local\Temp\16b51224239d3671b1af3e8f2656a2ad1e7f5fb9acb09111a95461338a841b49.exe
"C:\Users\Admin\AppData\Local\Temp\16b51224239d3671b1af3e8f2656a2ad1e7f5fb9acb09111a95461338a841b49.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2108

C:\ex3t.exe
"C:\ex3t.exe"
2⤵
- Executes dropped EXE
PID:4240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ex3t.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ex3t.txt
Filesize
15B

MD5
c2c23b2a4e6fc900f0c92ecd9aacca57

SHA1
9f295e46d3f7d86bd87aa8a217d18f77f70c3c52

SHA256
de2749ac0410216a2f4290c84cef785adfd563f84ee0b5ff09ad1fce957987bf

SHA512
53728943d52ff09d86e8887e440652b76186a8a8f01dad39da4a3a19ae332f8486ca369d2dd8f9ed9e10f87c16b2cdded96a221a34df52230e4f3f48ceacc59c

Download Submit
memory/2108-0-0x00000000004B0000-0x00000000004EA000-memory.dmp

Filesize
232KB

Download
memory/2108-1-0x00007FFF52780000-0x00007FFF53241000-memory.dmp

Filesize
10.8MB

Download
memory/2108-2-0x000000001B340000-0x000000001B350000-memory.dmp

Filesize
64KB

Download
memory/2108-18-0x00007FFF52780000-0x00007FFF53241000-memory.dmp

Filesize
10.8MB

Download
memory/4240-19-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/4240-17-0x00007FFF52780000-0x00007FFF53241000-memory.dmp

Filesize
10.8MB

Download
memory/4240-20-0x00007FFF52780000-0x00007FFF53241000-memory.dmp

Filesize
10.8MB

Download
memory/4240-21-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/4240-23-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/4240-24-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download