98baa2fb780963e3223a46874e1367c0baf0707620415faf0748ae523ceac7b2

Analysis

max time kernel
149s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f85921747ecc2e6991a3c93b33fd7f0.exe
Size

883KB
MD5

3f85921747ecc2e6991a3c93b33fd7f0
SHA1

b5106812fa3748cca7772218cfcef80a8ee232af
SHA256

98baa2fb780963e3223a46874e1367c0baf0707620415faf0748ae523ceac7b2
SHA512

2fe4867a7862f8fe6682b1a3f437c7e31a56aa3fd3a8871d69826479a7662fa112c289f3110d13eec3f6033264d3bb8cd34ad5986ca648e9dfe04cbbb47dfefa
SSDEEP

6144:Fo1V5Xjv0A5rcne/qXEX4KEeBSqElYt1uceqKxXx1bJY0zrDf+3gE:C1RcwtX4KFgqElYt1O/v+j

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	3f85921747ecc2e6991a3c93b33fd7f0.exe

Executes dropped EXE 1 IoCs

pid	Process
1428	5442796694.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	3f85921747ecc2e6991a3c93b33fd7f0.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	3f85921747ecc2e6991a3c93b33fd7f0.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	3f85921747ecc2e6991a3c93b33fd7f0.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	3f85921747ecc2e6991a3c93b33fd7f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	3f85921747ecc2e6991a3c93b33fd7f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	3f85921747ecc2e6991a3c93b33fd7f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	3f85921747ecc2e6991a3c93b33fd7f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	3f85921747ecc2e6991a3c93b33fd7f0.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	3f85921747ecc2e6991a3c93b33fd7f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	3f85921747ecc2e6991a3c93b33fd7f0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	3f85921747ecc2e6991a3c93b33fd7f0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe
3324	3f85921747ecc2e6991a3c93b33fd7f0.exe

C:\Users\Admin\AppData\Local\Temp\3f85921747ecc2e6991a3c93b33fd7f0.exe
"C:\Users\Admin\AppData\Local\Temp\3f85921747ecc2e6991a3c93b33fd7f0.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3324
- C:\Users\Admin\AppData\Local\Temp\5442796694.exe
  "C:\Users\Admin\AppData\Local\Temp\5442796694.exe"
  2⤵
  - Executes dropped EXE
  PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
1.4MB

MD5
e13c64e1e939d2a040d244d7ec23ef9f

SHA1
0bf93de4b810702b7b8104dd35f4bd202a2c01cc

SHA256
d14dd217ddaa1cb13b3d1d627bc871318a73f4f5e2f151c4d7a3f1f56b296ade

SHA512
6485cb4d8d2f5f3626b5c76e80d6473d11197122ba4dfc289aa71c7462d59730e3eec8f24dec93af2ebd56c248029afb313323edbf1bc97f14813b1e74d75523

Download Submit
C:\Users\Admin\AppData\Local\Temp\5442796694.exe

Filesize
136KB

MD5
0771f1093c73fadc78a28bfc223b6078

SHA1
8df46356356451e8ab6fd5e60662c4bde5c3c225

SHA256
fd2a4837828c51d8f6f4a4d1b035cbbebc006e724fc098eb9e09dc2e3fc249ab

SHA512
8f7df2bcbcc9646d874be55fcaf41542e9643b81014de58f181db2970c052012e55bd0f09151945a14a4ac20a6516cafd36267cb3d33ede9e7dc34170bb698a0

Download Submit
C:\log.txt

Filesize
781B

MD5
de13af15d9b4fb07fb8363ce4777dc9f

SHA1
667ddc1847ec4d0f85d8700259b9821d147c49ae

SHA256
a13827c5ad3fdb0c92837e31a41449bf8608407e0c93530e42a1924b4b5274ac

SHA512
bf484dfafcfb10cbd9c4e857a65987243e4976f87047050055f7837a291e9b1c3f1131ceba285cf5f454e64a2f8f989fdaf3b73966d1f3a86cc670307b29c864

Download Submit
C:\log.txt

Filesize
980B

MD5
2aabf0e3ea2af9ed16b25238baa18d29

SHA1
843cb9c528010dfea90245803474db03fa552888

SHA256
a0932347dcec69db225aef363d5827d2290d0f978ba70bd6e1dd0b5b352deacd

SHA512
ed55086546fd2278a0f261ee6dfa678881da70257e8923066e80c5ece3d6835f32cc275cf06a016589678bc9bedddac5d6744631cad3255afa3ec588b7f111dc

Download Submit
C:\log.txt

Filesize
1KB

MD5
dd61bdc43f10843160c3ae7dff71ab78

SHA1
d4ee001d867da51e962c39e2952841708b717841

SHA256
b946c028a2e2563549bbe5c20f8f51bf22b127aef34555fefddde8bbbede331e

SHA512
d91f9955d5f0e51339a2427fcf85c7be4232bcc24db04020a89626c079a3e1566d4098a1633af5078df05e73ad1674cc145a60b48ac7057129249cf0af6bd05e

Download Submit
C:\log.txt

Filesize
2KB

MD5
a4928a45a2070d69315ab5e7aaf0ac00

SHA1
c02f5f214d8c309d44f575d985510e8f23a65eb8

SHA256
965bfe996869e23b47b8a0aa6faf8deb3ed44a6a2f9c6b10b7f16cb84655182e

SHA512
9eaa8da80fe116a9cb8453b31d53eeae4837bdfef3c82f3adc5782e8be9c926047b9ac8a9cb6ae901ba54bc3c6851972592d2a281824ddb0d25336105bf501fc

Download Submit
C:\log.txt

Filesize
2KB

MD5
645c883cccbad6135c51a277cd5d2a61

SHA1
078ce93aa9e503c02e55229a08af5abf3e07cc79

SHA256
bcb21a98763ee46c88d2fc4f3fcd0e51fc5266ac15a6460dc59d1315033a5992

SHA512
a3f2ace33e206f34bb647ad04da30d0dc0fe472ccf15ef6757082556eaddcd391cadf3f6472f4bc61179a8ac373e24093f97fc1ad6300595722a7d5e727bd7ca

Download Submit
C:\log.txt

Filesize
2KB

MD5
defd63d64258a68eea5368f6a3101924

SHA1
60b2be705e205096375e51d07e22c6cebfacd155

SHA256
0114780927a442aa573b5de22ee3955794358d8e2caed20d932d64d884c140eb

SHA512
9706a156bfb6c9d4e446effe2bee2dd492430c7b37fd8905bc5a262ca73bff67c252ea687d72b030bc599380591f45830288f2c54f72f958d891a12c33a3bf7b

Download Submit
C:\log.txt

Filesize
3KB

MD5
ab55f1ce2734c819d0edab44b0e25b60

SHA1
4f97e78b12d2be8b646026c6d068e62f3b84e5d8

SHA256
706583260d6e17b610c63e45d397ae1be1c590746a714baa824b480debdd6c57

SHA512
df337e6481b862f9cb7810c8d718eb3df4f68ea074472695d0e44b8f96f43610f3d87a03aab66e68c21fd432eba8a91964d3cb36a5a0c70614c359a6ab93563c

Download Submit
C:\log.txt

Filesize
4KB

MD5
1edae4c8c40abeeba6a82ac974cf6833

SHA1
5623bde3ba07142c3fc896e184188c2599021940

SHA256
e6f5424bb6943eda3ceb1fd92461727f9ad898301434b885fb189580f8e86ddd

SHA512
67637912a1b5367b303d971146322fc6adf3335595ee58cdd142dada5d9111c361de964cf5a958f4c6de68f800d10723ca25c8ec39ce85d05cb3d7c2d4472366

Download Submit
C:\log.txt

Filesize
4KB

MD5
2443f184d9b94efcdc90c3e199d06746

SHA1
461ffc47b478456878be5657e05f80f339758059

SHA256
9297896a34e073c9e8c51d7b9c1f899dfdd6517b7fb9f1a04de5b2a652f9e2d9

SHA512
e84c1ff623cc84faf590ac74d12da1c0a99e23c521dd4289bb52332df1029eb2edfa2f0a4d79fb41dd61688de43fc622a760791b3426bd8814c6dfd08fd1b76b

Download Submit
C:\log.txt

Filesize
609B

MD5
33587deb57aa6dd016c7f704d3405cfc

SHA1
b8900af92741b8b07e768265aa6a0d32155d174b

SHA256
c7f6ad45aeef1e94fb6580ab5f9a634a19728f0273b2c1dc87cd0fbcd5cd7e26

SHA512
bdf10f237d69b870633c7b82f67ad192ae35b40d1e7d41e2d2c8a8b0390e0a5135a002c901a4bac36f97e49198df297ffe23f4c0ec10d673819e5694c774e12b

Download Submit
C:\log.txt

Filesize
737B

MD5
fc5154d97079e9867827ce656d51ffe9

SHA1
11c497557c846d551c9c9baa26320a0cde6fb18d

SHA256
733e2d3821191d93a21ebb94f968dbe15ceaf2ee6ffb9067a79b11a266469468

SHA512
8cae96409e536be11767ba15592831151358bc653e7d8945c3d4e2dee1948f9d392fd72ffc624fe5488871e234a581d5b69204eb5b3e2b813be236381e5e4568

Download Submit
memory/3324-243-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3324-363-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download