ec40c29ee0b9b7c7747900f580b2d7d8793e1d62d7bf90ef53712113131e14ad

Analysis

max time kernel
44s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41a85397933ee018a38cf4be0fce61ae.exe
Size

1.0MB
MD5

41a85397933ee018a38cf4be0fce61ae
SHA1

4b39173f2288c928aa2e8efe8ffd0443922da5f0
SHA256

ec40c29ee0b9b7c7747900f580b2d7d8793e1d62d7bf90ef53712113131e14ad
SHA512

30a28f0d59bc7792aedf3dcdad629a715c6a34fc00cec73e9a4a3dfeb8f0be37ad9ca2c79c130096aeea5fd42a29d5694b92fc66fcdf57d59783fb3a728c84e3
SSDEEP

24576:O0AmEiIz6d+NrC/t6eXCisorTZzMfELIcz+Xdz:OOIpdw9TA8F+N

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	41a85397933ee018a38cf4be0fce61ae.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G.exe	41a85397933ee018a38cf4be0fce61ae.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G.exe	41a85397933ee018a38cf4be0fce61ae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4644	41a85397933ee018a38cf4be0fce61ae.exe
Token: SeDebugPrivilege	4528	41a85397933ee018a38cf4be0fce61ae.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4528	4644	41a85397933ee018a38cf4be0fce61ae.exe	105
PID 4644 wrote to memory of 4528	4644	41a85397933ee018a38cf4be0fce61ae.exe	105

C:\Users\Admin\AppData\Local\Temp\41a85397933ee018a38cf4be0fce61ae.exe
"C:\Users\Admin\AppData\Local\Temp\41a85397933ee018a38cf4be0fce61ae.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Local\Temp\41a85397933ee018a38cf4be0fce61ae.exe
  "C:\Users\Admin\AppData\Local\Temp\41a85397933ee018a38cf4be0fce61ae.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\41a85397933ee018a38cf4be0fce61ae.exe.log

Filesize
1KB

MD5
2d2a235f1b0f4b608c5910673735494b

SHA1
23a63f6529bfdf917886ab8347092238db0423a0

SHA256
c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

SHA512
10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

Download Submit
memory/4528-10-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp

Filesize
10.8MB

Download
memory/4528-14-0x000000001B680000-0x000000001B690000-memory.dmp

Filesize
64KB

Download
memory/4528-13-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp

Filesize
10.8MB

Download
memory/4528-11-0x000000001B680000-0x000000001B690000-memory.dmp

Filesize
64KB

Download
memory/4528-12-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/4644-2-0x000000001AF90000-0x000000001AFA0000-memory.dmp

Filesize
64KB

Download
memory/4644-9-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp

Filesize
10.8MB

Download
memory/4644-5-0x000000001AF90000-0x000000001AFA0000-memory.dmp

Filesize
64KB

Download
memory/4644-4-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp

Filesize
10.8MB

Download
memory/4644-0-0x0000000000250000-0x000000000035A000-memory.dmp

Filesize
1.0MB

Download
memory/4644-3-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4644-1-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp

Filesize
10.8MB

Download