af1fb623294b6caf7eaeaff52c966ce863673ca48d18b1cdfa3a8ccd4676f69c

Analysis

max time kernel
151s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

465c3a9b49ac0998b2b46d27ee014378.exe
Size

107KB
MD5

465c3a9b49ac0998b2b46d27ee014378
SHA1

fa0b1a459618fb99f601a75361d658c4412513ad
SHA256

af1fb623294b6caf7eaeaff52c966ce863673ca48d18b1cdfa3a8ccd4676f69c
SHA512

58528770e27d68fbedf2473122a79302b7c9f6a37cf8d0eea9d33e98803fe274444ed2344b526df44c0bef22d52cab6be88f85a7e1b1a8d53e7950beb2a73f41
SSDEEP

3072:SzWokCxh50Hy32KlidalWy1lTglCqVZXULsYgv:OWokqaJKEZgl2CyEAf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	465c3a9b49ac0998b2b46d27ee014378.exe

Executes dropped EXE 1 IoCs

pid	Process
3696	rb.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rb.exe	465c3a9b49ac0998b2b46d27ee014378.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2524	3696	WerFault.exe	94

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3728	465c3a9b49ac0998b2b46d27ee014378.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 3696	3728	465c3a9b49ac0998b2b46d27ee014378.exe	94
PID 3728 wrote to memory of 3696	3728	465c3a9b49ac0998b2b46d27ee014378.exe	94
PID 3728 wrote to memory of 3696	3728	465c3a9b49ac0998b2b46d27ee014378.exe	94

C:\Users\Admin\AppData\Local\Temp\465c3a9b49ac0998b2b46d27ee014378.exe
"C:\Users\Admin\AppData\Local\Temp\465c3a9b49ac0998b2b46d27ee014378.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\rb.exe
  "C:\Windows\rb.exe"
  2⤵
  - Executes dropped EXE
  PID:3696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 224
    3⤵
    - Program crash
    PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3696 -ip 3696
1⤵
PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rb.exe

Filesize
93KB

MD5
92df9d20bd9138426fff7489673ed192

SHA1
28a3235fb334063f9321d6d51f4eea7a4e9c74d6

SHA256
a691025b079e7ad08b4f1cead3c0a1ae302bdb65e7bb8fb3f5848d5b32fa9197

SHA512
7e5e7ce905aecdc15f1fdd7c4d1c1b16b4962262e0c9b735197d4efbe88f92bd8e7fbc7f1e29b4a59196d6244a412d2dabfc441f64706d16e9373fa8a3a9884d

Download Submit
memory/3696-9-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3696-10-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3728-0-0x0000000000400000-0x000000000041D200-memory.dmp

Filesize
116KB

Download