74f7f30e36d60b1c307a5b26b5370b5fe16ba6386b30fb39495b32e731c2fcd8

Analysis

max time kernel
4s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b0371d992eb9ffc4681258ce8cc2c49.exe
Size

195KB
MD5

4b0371d992eb9ffc4681258ce8cc2c49
SHA1

1d3e1bd367513d7b92c07c180156ea5d45fdb4cc
SHA256

74f7f30e36d60b1c307a5b26b5370b5fe16ba6386b30fb39495b32e731c2fcd8
SHA512

bed98b200e9ffb1735283cefacff0fb5f703244eacc5ed1288f0c410a7d90c30c25d05dd928475ebd3e729971b06ffec01641668114963a5ae249634eb93edb7
SSDEEP

3072:OdDWmr3eifwGQ7d2mk7B9k9HXnOY33G3IjMwnLiskmhKQZT3eiw:4Z3eiBamnk5Xn7G32P+s1MQZT3ei

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	4b0371d992eb9ffc4681258ce8cc2c49.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3376	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2968	PING.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 488	4892	4b0371d992eb9ffc4681258ce8cc2c49.exe	90
PID 4892 wrote to memory of 488	4892	4b0371d992eb9ffc4681258ce8cc2c49.exe	90
PID 4892 wrote to memory of 488	4892	4b0371d992eb9ffc4681258ce8cc2c49.exe	90

C:\Users\Admin\AppData\Local\Temp\4b0371d992eb9ffc4681258ce8cc2c49.exe
"C:\Users\Admin\AppData\Local\Temp\4b0371d992eb9ffc4681258ce8cc2c49.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 4892 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\4b0371d992eb9ffc4681258ce8cc2c49.exe" & start C:\Users\Admin\AppData\Local\BDYJMB~1.EXE -f
  2⤵
  PID:488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 4892
    3⤵
    - Kills process with taskkill
    PID:3376
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:2968
- - C:\Users\Admin\AppData\Local\bdyjmbpyk.exe
    C:\Users\Admin\AppData\Local\BDYJMB~1.EXE -f
    3⤵
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\bdyjmbpyk.exe

Filesize
87KB

MD5
01981184bc065002357d2905070fbf5b

SHA1
90c416b80f476b4500d54602aabd0bd6fe3211d9

SHA256
b1bde38ca76f19de923b8b17c4204c41161e4895518ff955ec1c0e59532b8c6e

SHA512
dd1866fc89ab0add1839d900f4ac0e26f89301240cc3b209eadf96dfc5a342fca895579a9010672dca0d5ee3f125a7853aa3852cb3d390b656d1d411fc1de9af

Download Submit
C:\Users\Admin\AppData\Local\bdyjmbpyk.exe

Filesize
28KB

MD5
95ede2b8cb30fa84bb2e5455b891e9c2

SHA1
98ae7e8494671bd995e7f437a96b52e3e404d279

SHA256
07f458d6bb0a7ccd12ab60b5433b76db1d0d844e4ec1fe8c7f4f3e77948c1df6

SHA512
20f42b424d845241c1bd54f0bf5d7f9df2026155c65e99955116d0035fc45870e13d20eb4515b524b9f0d04315e6af4ae11b38c7617d230aadeb720ad8d44ecf

Download Submit
C:\Users\Admin\AppData\Local\bdyjmbpyk.exe

Filesize
195KB

MD5
4b0371d992eb9ffc4681258ce8cc2c49

SHA1
1d3e1bd367513d7b92c07c180156ea5d45fdb4cc

SHA256
74f7f30e36d60b1c307a5b26b5370b5fe16ba6386b30fb39495b32e731c2fcd8

SHA512
bed98b200e9ffb1735283cefacff0fb5f703244eacc5ed1288f0c410a7d90c30c25d05dd928475ebd3e729971b06ffec01641668114963a5ae249634eb93edb7

Download Submit
memory/2976-14-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2976-26-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2976-32-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2976-10-0x0000000002B00000-0x0000000002B02000-memory.dmp

Filesize
8KB

Download
memory/2976-9-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2976-30-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2976-12-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2976-28-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2976-16-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2976-17-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2976-19-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2976-21-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2976-24-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/4892-4-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/4892-0-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4892-1-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/4892-3-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

Filesize
8KB

Download