07c31fcbacced87e8075b71528bdd18c5f88169327a72998d7b3e685ccd7dcd4

Analysis

max time kernel
146s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 10:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

436bafbdf441fa215ec3511e02e7ca3e.exe
Size

253KB
MD5

436bafbdf441fa215ec3511e02e7ca3e
SHA1

48bd660899666ce3cec657d6cddbf1e592920971
SHA256

07c31fcbacced87e8075b71528bdd18c5f88169327a72998d7b3e685ccd7dcd4
SHA512

a756bbd76cfff0ffd78d5484fc889f843cdc535be1c6ee32f29cc1a3096fc972874362dd502140842f6df3da230460e2a0f0fe50ceb8c625b03f9d9d9daa255a
SSDEEP

6144:md93ZBZMbqYgomHmcRUTV5nUliOZ9xvDHIbCan8WiQZWq0z19ck:mr3ZBIRARUTV5nlOfxiR8EN0Ek

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	436bafbdf441fa215ec3511e02e7ca3e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	crmiy.sfx.exe

Executes dropped EXE 2 IoCs

pid	Process
1116	crmiy.sfx.exe
4884	crmiy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2128	4884	WerFault.exe	96

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1116	1920	436bafbdf441fa215ec3511e02e7ca3e.exe	94
PID 1920 wrote to memory of 1116	1920	436bafbdf441fa215ec3511e02e7ca3e.exe	94
PID 1920 wrote to memory of 1116	1920	436bafbdf441fa215ec3511e02e7ca3e.exe	94
PID 1116 wrote to memory of 4884	1116	crmiy.sfx.exe	96
PID 1116 wrote to memory of 4884	1116	crmiy.sfx.exe	96
PID 1116 wrote to memory of 4884	1116	crmiy.sfx.exe	96

C:\Users\Admin\AppData\Local\Temp\436bafbdf441fa215ec3511e02e7ca3e.exe
"C:\Users\Admin\AppData\Local\Temp\436bafbdf441fa215ec3511e02e7ca3e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\crmiy.sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\crmiy.sfx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\crmiy.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\crmiy.exe"
    3⤵
    - Executes dropped EXE
    PID:4884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 332
      4⤵
      Program crash
      PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4884 -ip 4884
1⤵
PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\crmiy.exe

Filesize
99KB

MD5
1bdf5c4911434109880475e4f8c5a525

SHA1
3b3b8680b3489023feea2190d9abb9167b2310c3

SHA256
ef0361408091f5a4a323fedc59ae0e0bb34ed5a46e69ef5129b616960dfef60e

SHA512
c3966291b45d8ead81594b9cce1b5ddeb58342105bf2795a008019753fac1cc4f959f240fb2b292ae191c8b4e678d3da4d42a6adaf0b161c447b7f75d99b00a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crmiy.sfx.exe

Filesize
184KB

MD5
c7a20a7cb2eb3540f0244492ab1fcdc2

SHA1
a8282e2b566681614c422c397d166d0d92aca40b

SHA256
48fff08ecae4f28e511b29f051f55aab44d857cb5689ced70f3e1c564ac571b2

SHA512
e9eb1aeda1e9b5ba183099c2c8194158c42f6ca72f9c36b1119cb296b7fd51c190d1bc959bbc7866e401c862c96552fe726a9296301b737142e69e7cd1ab9f19

Download Submit
memory/1116-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1920-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1920-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1920-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1920-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4884-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4884-26-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download