e9c44bc4c40edcdffee64be7c7b6af6db196a40eada2e0fe23713d54cc6834a3

Analysis

max time kernel
165s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40d0d59ea31743ff67f8a717bd436bae.exe
Size

20KB
MD5

40d0d59ea31743ff67f8a717bd436bae
SHA1

2f1e701e61168e3f2b85e5ef525be8ad73182ca2
SHA256

e9c44bc4c40edcdffee64be7c7b6af6db196a40eada2e0fe23713d54cc6834a3
SHA512

5caf66ec79ea2dca538cb7205e5e9421e1072e434914ce068ce283e35be6140932639b017656e2bdc08bb07126c2b8f8e2d4e9d5613bd6aad878d77340257312
SSDEEP

192:N8V86Esiq71WpX4WmebVXqdnIn05gD9C5hqBlw/xyUSmC6468eOtFlH+lzmhIONC:OG4TebV6dbuoh1kX681FN6BA+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	40d0d59ea31743ff67f8a717bd436bae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	quip.exe

Executes dropped EXE 1 IoCs

pid	Process
2196	quip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 2196	4452	40d0d59ea31743ff67f8a717bd436bae.exe	92
PID 4452 wrote to memory of 2196	4452	40d0d59ea31743ff67f8a717bd436bae.exe	92
PID 4452 wrote to memory of 2196	4452	40d0d59ea31743ff67f8a717bd436bae.exe	92

C:\Users\Admin\AppData\Local\Temp\40d0d59ea31743ff67f8a717bd436bae.exe
"C:\Users\Admin\AppData\Local\Temp\40d0d59ea31743ff67f8a717bd436bae.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\quip.exe
  "C:\Users\Admin\AppData\Local\Temp\quip.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\quip.exe

Filesize
20KB

MD5
715f37dc8a8b0dac187fe73ae750a62f

SHA1
34dd6f87fc177d31e643e95fe59c5a4677257019

SHA256
380d1a4c35dc7521ff1a23f1be83759cf053f49bc77ebed432071f9de8715faf

SHA512
0faef899acffc52dd630ee682eb875822756ee57cc9d8de355726f57419ba6c6ea448cefcd7fede0e9997001ef52a4fba7ff50e1a23ff39bba692a05037c505c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wipet.exe

Filesize
1KB

MD5
8d4c07efda188f4ca3290b68b7b5c2b4

SHA1
ba392480e4f36eaf02ce8df0e7b3ca86aebbd3ea

SHA256
e27b64c9737988f9d6a1bff653e7de7b46c8150133d6b4e9061b70d70dbde8b4

SHA512
fbbd1b4596151b13a9de1ed87c37783f2e7519c1e0b7f90fe00cba33a848b538fcb8474d0975fb18568085e81e84053d4ec2f18021fcc76cda68e0b808ed2ef2

Download Submit
memory/2196-8-0x0000000001000000-0x0000000001007000-memory.dmp

Filesize
28KB

Download
memory/2196-26-0x0000000001000000-0x0000000001007000-memory.dmp

Filesize
28KB

Download
memory/4452-0-0x0000000000BA0000-0x0000000000BA7000-memory.dmp

Filesize
28KB

Download
memory/4452-10-0x0000000000BA0000-0x0000000000BA7000-memory.dmp

Filesize
28KB

Download