1e87c5653b2e951afb781018ff2dd522733ce1e0972fda6334a3b1172e6a5b7f

Analysis

max time kernel
161s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43411fd891aec187a67208f31bec4137.exe
Size

100KB
MD5

43411fd891aec187a67208f31bec4137
SHA1

f13bd50804c817091948556cfc7deda2955913c8
SHA256

1e87c5653b2e951afb781018ff2dd522733ce1e0972fda6334a3b1172e6a5b7f
SHA512

f72307d45361b05ca91c9d62d500162643406451a53487e3373f60f76ed6854f533e6162cf1a8118b132714bef6ba650902aab5989d232a75dd7c3e41bee2d0f
SSDEEP

3072:O8U2yJN5f661xRZbALxB1Ojdgx8GY8iJkMo:O8U2qy6rRZb7jxGY8iJe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	43411fd891aec187a67208f31bec4137.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\__tmp_rar_sfx_access_check_240635656	43411fd891aec187a67208f31bec4137.exe
File created	C:\WINDOWS\SysWOW64\asd.bat	43411fd891aec187a67208f31bec4137.exe
File opened for modification	C:\WINDOWS\SysWOW64\asd.bat	43411fd891aec187a67208f31bec4137.exe
File created	C:\WINDOWS\SysWOW64\syss.vbs	43411fd891aec187a67208f31bec4137.exe
File opened for modification	C:\WINDOWS\SysWOW64\syss.vbs	43411fd891aec187a67208f31bec4137.exe
File created	C:\WINDOWS\SysWOW64\t.t	cmd.exe
File opened for modification	C:\WINDOWS\SysWOW64\t.t	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	43411fd891aec187a67208f31bec4137.exe

Runs net.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 3508	712	43411fd891aec187a67208f31bec4137.exe	90
PID 712 wrote to memory of 3508	712	43411fd891aec187a67208f31bec4137.exe	90
PID 712 wrote to memory of 3508	712	43411fd891aec187a67208f31bec4137.exe	90
PID 3508 wrote to memory of 4992	3508	WScript.exe	92
PID 3508 wrote to memory of 4992	3508	WScript.exe	92
PID 3508 wrote to memory of 4992	3508	WScript.exe	92
PID 4992 wrote to memory of 1692	4992	cmd.exe	94
PID 4992 wrote to memory of 1692	4992	cmd.exe	94
PID 4992 wrote to memory of 1692	4992	cmd.exe	94
PID 1692 wrote to memory of 4452	1692	cmd.exe	95
PID 1692 wrote to memory of 4452	1692	cmd.exe	95
PID 1692 wrote to memory of 4452	1692	cmd.exe	95
PID 4452 wrote to memory of 3888	4452	net.exe	96
PID 4452 wrote to memory of 3888	4452	net.exe	96
PID 4452 wrote to memory of 3888	4452	net.exe	96
PID 4992 wrote to memory of 1840	4992	cmd.exe	97
PID 4992 wrote to memory of 1840	4992	cmd.exe	97
PID 4992 wrote to memory of 1840	4992	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\43411fd891aec187a67208f31bec4137.exe
"C:\Users\Admin\AppData\Local\Temp\43411fd891aec187a67208f31bec4137.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\WINDOWS\system32\syss.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\asd.bat" "
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop sharedaccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\WINDOWS\SysWOW64\net.exe
        
        net stop sharedaccess
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4452
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        6⤵
        
        PID:3888
  - - C:\WINDOWS\SysWOW64\ftp.exe
      ftp -s:t.t
      4⤵
      PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\syss.vbs

Filesize
45B

MD5
2eb0bdfe63f039ca11e5fec11a01edbd

SHA1
ee536313771b34fea308499aab0212956a7518c4

SHA256
f2cbc7fd2d24406a057486795a3c4a606bfa7fbf1a624f4ae179be85f32f7fa0

SHA512
ee252e02c86494b60efe981036c2fcb5b5761b68c593e9e5211ecd0e2b4ed3cc2c541f6f533c77a1a4bcc3a1be08b66c4ffc7ff7dfce1efae578c32d9f3df8f9

Download Submit
C:\WINDOWS\SysWOW64\t.t

Filesize
84B

MD5
a9110e052be59f1f7b3fc724b7c693eb

SHA1
0ad61983c0ee231c5daaf4e83e513ef505c9fa77

SHA256
69a1e054956800976be84e3d208583f79eca9ebea7e30a0fac068aef30d70b54

SHA512
6bb1bd45248e5fc946617e2505bcc5d6e99d9a7216fe82317035e88ec17d1a8bf07a0f3c2fe9c61325fc1bb8709689b9d9cfe29c024f68bf9b3188f78f403f9c

Download Submit
C:\Windows\SysWOW64\asd.bat

Filesize
222B

MD5
a51d60320588fd7b868022c2010025e3

SHA1
dc3dd853e1667f41aecfb79ab8c4278efe9b7c4e

SHA256
c98e91ce4795cda6efed6c7839c77c5d2ad86201c077a7c8b730987dcda62ddd

SHA512
b6cbfc840500693d1a916c7be572be78f6aa2b883423be424bc99865aae2594bbd53b202e7101b0ab41fee0ce3fadffac68181eade6098e7eeee2ba53adf62e2

Download Submit
memory/712-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download