6581f19671beaa14bfabf462edcbfadbb294c719b972ac9c45407ed7cb80f59a

Analysis

max time kernel
143s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a8839b793adedb6f3b7882cd3ff2aca653b29aefe4091969bceffae430b6eaf.exe
Size

3.1MB
MD5

61364a6fe5efd106c01a7c36ba09abb7
SHA1

90022820444fb45fc831513b51c5f6adaf092307
SHA256

0a8839b793adedb6f3b7882cd3ff2aca653b29aefe4091969bceffae430b6eaf
SHA512

33b82aebe4d1a03f8703d4b4618c2dc7e964eba37701b3ba6acfba8cb20f43eb11c5bbde17cab37e8f364160cee8146102a63609216081cc9b01987cf72e3847
SSDEEP

98304:ystRgLsp8zU/sb5dYLQ5gDxyhQokALsRXzppn:ywgLuz/sb5fyUKJcsN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	0a8839b793adedb6f3b7882cd3ff2aca653b29aefe4091969bceffae430b6eaf.exe

Loads dropped DLL 1 IoCs

pid	Process
3860	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 3860	4512	0a8839b793adedb6f3b7882cd3ff2aca653b29aefe4091969bceffae430b6eaf.exe	91
PID 4512 wrote to memory of 3860	4512	0a8839b793adedb6f3b7882cd3ff2aca653b29aefe4091969bceffae430b6eaf.exe	91
PID 4512 wrote to memory of 3860	4512	0a8839b793adedb6f3b7882cd3ff2aca653b29aefe4091969bceffae430b6eaf.exe	91

C:\Users\Admin\AppData\Local\Temp\0a8839b793adedb6f3b7882cd3ff2aca653b29aefe4091969bceffae430b6eaf.exe
"C:\Users\Admin\AppData\Local\Temp\0a8839b793adedb6f3b7882cd3ff2aca653b29aefe4091969bceffae430b6eaf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" SJLNH.u /S
  2⤵
  - Loads dropped DLL
  PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SJLNH.u

Filesize
386KB

MD5
dfbfa933e8135623060eb552527da299

SHA1
6f2f18c1fe25f84870e49735e0feb535a2a3b4d1

SHA256
0dc9d116958e5de58c45364445c1fd3c858e151a2e3dcd9124139b2daae59941

SHA512
4dd0885b9432301bdd285794ae74e34dec5eb37994c90d49f1703bd52f50df2b0add6fec4b1eb4103586da13e7df94719568fc8d0076e38305b47c4a33f9a1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SJLnH.u

Filesize
893KB

MD5
d1d70d21d841d559a20d208748b3d13b

SHA1
6f9d07aae778cbc2215438526756998b2371795e

SHA256
e3f0a0c7ed825b0e79c78af477aa97ae6b9a61766b1bb4dba734c2fd10ac213f

SHA512
10dfff54ee8b2727172baa2e3e444e473d10ab67ceadf125706575b2ad9757cf015712f5c2a9c7b3fb4cf45716d794e3e95def4960f5c23989b901ffb4b979df

Download Submit
memory/3860-5-0x0000000010000000-0x0000000010300000-memory.dmp

Filesize
3.0MB

Download
memory/3860-4-0x0000000000BB0000-0x0000000000BB6000-memory.dmp

Filesize
24KB

Download
memory/3860-7-0x0000000002900000-0x0000000002A38000-memory.dmp

Filesize
1.2MB

Download
memory/3860-8-0x0000000002A40000-0x0000000002B59000-memory.dmp

Filesize
1.1MB

Download
memory/3860-9-0x0000000002A40000-0x0000000002B59000-memory.dmp

Filesize
1.1MB

Download
memory/3860-11-0x0000000002A40000-0x0000000002B59000-memory.dmp

Filesize
1.1MB

Download
memory/3860-12-0x0000000002A40000-0x0000000002B59000-memory.dmp

Filesize
1.1MB

Download