398d82f9419304fd4dd25491a55db6cf6d6f89e39782447efc6e1ae8c15346b5

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e39d18345e208f308629e356fa36505.exe
Size

707KB
MD5

4e39d18345e208f308629e356fa36505
SHA1

3057c98128d745c5125b4afb0784f9fe9d341e47
SHA256

398d82f9419304fd4dd25491a55db6cf6d6f89e39782447efc6e1ae8c15346b5
SHA512

2d3a06d648b8acf47b77dcb7b88702b662bf01d98a287b078d558e0fda8b9cafcc05005fe38ff1f9f7fd8e77bd814ccc4f1fc749cef36e34cf245bc0b50ca336
SSDEEP

12288:fQbyAdMsPyz6fnl5EOzQnmDllFlFpVVQ8ue5+gud2FYtaBt5CRntbKuGFP4Oiqqf:1zcjEOzQnCllFlFpVVQ8dug3t58IftxI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	4e39d18345e208f308629e356fa36505.exe

Executes dropped EXE 1 IoCs

pid	Process
4672	fcb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4672	4192	4e39d18345e208f308629e356fa36505.exe	93
PID 4192 wrote to memory of 4672	4192	4e39d18345e208f308629e356fa36505.exe	93
PID 4192 wrote to memory of 4672	4192	4e39d18345e208f308629e356fa36505.exe	93

C:\Users\Admin\AppData\Local\Temp\4e39d18345e208f308629e356fa36505.exe
"C:\Users\Admin\AppData\Local\Temp\4e39d18345e208f308629e356fa36505.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\fcb.exe
  "C:\Users\Admin\AppData\Local\fcb.exe"
  2⤵
  - Executes dropped EXE
  PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\fcb.exe

Filesize
707KB

MD5
4e39d18345e208f308629e356fa36505

SHA1
3057c98128d745c5125b4afb0784f9fe9d341e47

SHA256
398d82f9419304fd4dd25491a55db6cf6d6f89e39782447efc6e1ae8c15346b5

SHA512
2d3a06d648b8acf47b77dcb7b88702b662bf01d98a287b078d558e0fda8b9cafcc05005fe38ff1f9f7fd8e77bd814ccc4f1fc749cef36e34cf245bc0b50ca336

Download Submit
memory/4192-0-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4192-1-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4192-2-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4192-15-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4672-14-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4672-16-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download