c6e50d736eeef34a8da5225400cc37659470d5419e69153e1e1b97dd084b95aa

Analysis

max time kernel
142s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49cbf43d7ccba2840ccfa66504a6e8b1.exe
Size

133KB
MD5

49cbf43d7ccba2840ccfa66504a6e8b1
SHA1

9ef6f1681b0e43ce6097b06a8baefe8f84adeea0
SHA256

c6e50d736eeef34a8da5225400cc37659470d5419e69153e1e1b97dd084b95aa
SHA512

373cd37e91048f24ba05c8ce18af6cca17404f31af8ed30ec4db2ff776c78ca1be94107ceef085cc5d27e3906a46b2bb0eb762456c8d8174f3812da964a3cc7a
SSDEEP

3072:ceWaePGEq74qv2/OJaH5ilm3tTlaJWZ5Vq3CM8RR:cRaTETdH8ls5mK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	49cbf43d7ccba2840ccfa66504a6e8b1.exe

Executes dropped EXE 1 IoCs

pid	Process
1768	tt.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\tt.exe	49cbf43d7ccba2840ccfa66504a6e8b1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4232	1768	WerFault.exe	25

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4068	49cbf43d7ccba2840ccfa66504a6e8b1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 1768	4068	49cbf43d7ccba2840ccfa66504a6e8b1.exe	25
PID 4068 wrote to memory of 1768	4068	49cbf43d7ccba2840ccfa66504a6e8b1.exe	25
PID 4068 wrote to memory of 1768	4068	49cbf43d7ccba2840ccfa66504a6e8b1.exe	25

C:\Users\Admin\AppData\Local\Temp\49cbf43d7ccba2840ccfa66504a6e8b1.exe
"C:\Users\Admin\AppData\Local\Temp\49cbf43d7ccba2840ccfa66504a6e8b1.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\tt.exe
  "C:\Windows\tt.exe"
  2⤵
  - Executes dropped EXE
  PID:1768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 224
    3⤵
    - Program crash
    PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1768 -ip 1768
1⤵
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tt.exe

Filesize
116KB

MD5
19c33f4a941831cc445e8c7c13804984

SHA1
00c32005f8d14eee3d9ad4cc86d8ba4649f2916c

SHA256
da7ed94a0fccdf0c11f116d6dbf2a14050cfa322057c8b61ae7b5dce4c0d7ad2

SHA512
6aa7d85bce8a67b7f88dbe4f72e03eb88b168e8614245e50ee71a256e9c164e6b9886eb6b3f823ce5cd18445d69878433777f828b50fceeeebcf022f1251586c

Download Submit
memory/1768-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1768-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4068-0-0x0000000000400000-0x0000000000423200-memory.dmp

Filesize
140KB

Download