336be3a20ae8a36962ffd26b1ec7fb0ec2274a860dd9423b16ff817d29f1908a

Analysis

max time kernel
142s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e.exe
Size

7KB
MD5

0094f931121b4047ee8c22a04f005d7f
SHA1

36c641e9803593af2d05e1e147c13b1219a7146d
SHA256

5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e
SHA512

2bf4774e48019a466b2e88c98f4e7863e208d456dd3a547bcc4f82b22f01d29f38aa736e48c378ee0ab66465fc6bdda4f95220136f7fe847a6e48afba8b36eb5
SSDEEP

96:fk+1m1B538+8xvpLXppvYExBrwbfLbnstTDhv0dWAwCzNt:ckmvCHpLXDvYExBrworKWfk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 4960	2464	5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e.exe	92
PID 2464 wrote to memory of 4960	2464	5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e.exe	92
PID 2464 wrote to memory of 4960	2464	5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e.exe	92

C:\Users\Admin\AppData\Local\Temp\5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e.exe
"C:\Users\Admin\AppData\Local\Temp\5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Pictures\How to recover.enc.txt
  2⤵
  PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pictures\How to recover.enc.txt

Filesize
208B

MD5
a964afa63ef86d7f85aac0abf59631dd

SHA1
c0f0127ba04231aa3ca56e1b7778e810814b9546

SHA256
767ec9fe96000fd91d0454d4ec04771f7c6d5bbe9bcd3f50e895954a7de6504a

SHA512
bd1245a6747d2858d44e39cf8487e1ff31a56204bd13116491209cb794b817d107d59b0777c4c3be71f2fe24e5fc34174c75c07d055ec6b1f3d865167681de71

Download Submit
memory/2464-0-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/2464-1-0x0000000000A90000-0x0000000000A98000-memory.dmp

Filesize
32KB

Download
memory/2464-19-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download