15db1f59b96bfa82618e48e8a149533fbdfdb1e8376059e19d23f24a09901015

Analysis

max time kernel
169s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41d1642b55e0676d0bec66325b3dcb66.exe
Size

3.6MB
MD5

41d1642b55e0676d0bec66325b3dcb66
SHA1

cb47a71340cb2d6365a18d7caae63e906fb9a883
SHA256

15db1f59b96bfa82618e48e8a149533fbdfdb1e8376059e19d23f24a09901015
SHA512

6b82ee05bace9679032db3cb9886a4880a80e37713c3e143cf70d4edf6834a2cc2bafc00c009639c84022bc81ed0d93434b8f073c5a288d5894256355d2937e5
SSDEEP

49152:MWVwEWxNIjbMoMMMWVwEWxNIjbMMMMMWVwEWxNIjw:gEWxvEWx7EWxR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	41d1642b55e0676d0bec66325b3dcb66.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\AppxAllUserStore.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\BCP47Langs.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\catsrv.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\AcWinRT.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\AppointmentActivation.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\ARP.EXE	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\attrib.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\ActivationClient.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\CallButtons.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\BioCredProv.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\certCredProvider.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\aspnet_counters.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\chcp.com	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\agentactivationruntimewindows.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\asferror.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\backgroundTaskHost.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\charmap.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\clb.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\archiveint.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\AppVSentinel.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\cmdial32.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\auditpolmsg.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\AcSpecfc.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\agentactivationruntimestarter.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\BingOnlineServices.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\@VpnToastIcon.png	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\bootcfg.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\calc.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\cfmifsproxy.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\Chakrathunk.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\AboveLockAppHost.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\cabapi.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\cdp.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\CloudExperienceHostCommon.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\AppVClientPS.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\CastingShellExt.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\adsldp.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\12520850.cpx	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\appmgmts.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\at.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\bcryptprimitives.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\12520437.cpx	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\boot.sdi	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\bdaplgin.ax	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\bthudtask.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\CIWmi.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\AppInstallerPrompt.Desktop.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\BCP47mrm.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\capiprovider.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\cero.rs	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\BackgroundTransferHost.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\activeds.tlb	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\AuditPolicyGPInterop.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\authui.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\azman.msc	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\cmmon32.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\acppage.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\BcastDVRBroker.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\certenc.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\chs_singlechar_pinyin.dat	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\adtschema.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\AudioEng.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\bthprops.cpl	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\SysWOW64\CameraCaptureUI.dll	41d1642b55e0676d0bec66325b3dcb66.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\setuperr.log	41d1642b55e0676d0bec66325b3dcb66.exe
File opened for modification	C:\WINDOWS\SysmonDrv.sys	41d1642b55e0676d0bec66325b3dcb66.exe
File opened for modification	C:\WINDOWS\win.ini	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\winhlp32.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\hh.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File opened for modification	C:\WINDOWS\PFRO.log	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\sysmon.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\explorer.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\HelpPane.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\splwow64.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File opened for modification	C:\WINDOWS\system.ini	41d1642b55e0676d0bec66325b3dcb66.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\WMSysPr9.prx	41d1642b55e0676d0bec66325b3dcb66.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\notepad.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\mib.bin	41d1642b55e0676d0bec66325b3dcb66.exe
File opened for modification	C:\WINDOWS\Professional.xml	41d1642b55e0676d0bec66325b3dcb66.exe
File opened for modification	C:\WINDOWS\setupact.log	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\twain_32.dll	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\write.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File created	C:\WINDOWS\bfsvc.exe	41d1642b55e0676d0bec66325b3dcb66.exe
File opened for modification	C:\WINDOWS\lsasetup.log	41d1642b55e0676d0bec66325b3dcb66.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\41d1642b55e0676d0bec66325b3dcb66.exe
"C:\Users\Admin\AppData\Local\Temp\41d1642b55e0676d0bec66325b3dcb66.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\setupact.log

Filesize
29KB

MD5
c9e62d40e5692e5162f320495a9d5a5f

SHA1
1b82c64ea2fcb26b85c2b88b73f87c5ecf9de3a6

SHA256
7dbcc3eda1f0204312821d7e9335107492abcbc9c0b69b4e4d19f54605b4a3a0

SHA512
ccf756acd3d64d4c2341e8604d1af6e38951b15ea5548965fe2b09eed75c17cb45013ab7a5df33c2080ac561ae84f99cfec114f3e5e904432e41039f83c42a8b

Download Submit
C:\exc.exe

Filesize
3.5MB

MD5
9a6c66ff537f003b2bf56ff25a297465

SHA1
ab3b88e86c53ad0086b19bc6e7fcb3c6fd260ff2

SHA256
fad577298bdbfb3fda38363b685e014a355b23aceda3c1970a1978bb65ed376c

SHA512
aa750a24835ff82981e057db290189b42cb1aecf24afd156c725c3bbfc7090e9ddb43b5d2e9719cf985e0aaf4dfb8360ec24e6f9e89b2c774427c84bf34930dc

Download Submit
memory/3284-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3284-2-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3284-27-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3284-28-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3284-29-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3284-32-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3284-33-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3284-34-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download