4c4fb61af65d29ea0a117801d8019a7366ac53a9de81c5a73000928396100c53

Analysis

max time kernel
30s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2024, 15:59

Target

63ed1728575b40bd4d08eec1938c2547.exe
Size

123KB
MD5

63ed1728575b40bd4d08eec1938c2547
SHA1

f4e786ccd1552ca47b669544449be3b8055be4cf
SHA256

4c4fb61af65d29ea0a117801d8019a7366ac53a9de81c5a73000928396100c53
SHA512

fe8f682b5dbf474876badf4a3183f71fe95fd4ce2495f6d579c3ea71107e611588f18f1f90c50d1bb2a887b5751e68b32666d465c9c6fc250372c8d95fdba169
SSDEEP

3072:PfU/WF6QMauSuiWNi9CO+WARJrWNZIYvQd2k:AWKauSuiWNiUBRJrW7fk

Score

7^/10

persistence

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	63ed1728575b40bd4d08eec1938c2547.exe

Executes dropped EXE 1 IoCs

pid	Process
4136	wuauclt.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run"	63ed1728575b40bd4d08eec1938c2547.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 4136	1656	63ed1728575b40bd4d08eec1938c2547.exe	18
PID 1656 wrote to memory of 4136	1656	63ed1728575b40bd4d08eec1938c2547.exe	18
PID 1656 wrote to memory of 4136	1656	63ed1728575b40bd4d08eec1938c2547.exe	18
PID 1656 wrote to memory of 1120	1656	63ed1728575b40bd4d08eec1938c2547.exe	102
PID 1656 wrote to memory of 1120	1656	63ed1728575b40bd4d08eec1938c2547.exe	102
PID 1656 wrote to memory of 1120	1656	63ed1728575b40bd4d08eec1938c2547.exe	102

C:\Users\Admin\AppData\Local\Temp\63ed1728575b40bd4d08eec1938c2547.exe
"C:\Users\Admin\AppData\Local\Temp\63ed1728575b40bd4d08eec1938c2547.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1656
- C:\ProgramData\Update\wuauclt.exe
  "C:\ProgramData\Update\wuauclt.exe" /run
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\windows\SysWOW64\cmd.exe
  "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\63ed1728575b40bd4d08eec1938c2547.exe" >> NUL
  2⤵
  PID:1120