eb1520559de8a4f15c6a9dc6dac8ff69285ada9321c756a2b0273ec0c38f9409

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 02:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4f61c23cd1d2ac20b28846f15005c206.exe
Size

27KB
MD5

4f61c23cd1d2ac20b28846f15005c206
SHA1

1741b679d356e63e2b5fa5ad9952189b3b3a070e
SHA256

eb1520559de8a4f15c6a9dc6dac8ff69285ada9321c756a2b0273ec0c38f9409
SHA512

115873349c616439ee8e7ceca7d10f416f350afd63c9979c7cee257bfe0590c7c9b19953f74ec58e977977bd9228fc4959174f888419da0b8c816df38cd8da7f
SSDEEP

384:wC5azxFqgqja4u5oK5iGKSdJBnOLna/h/Gyp0u+vlV4EuOdGlhLnlgM11jlPtOp9:wiazxujNSdJBnOGVGqlz9Op6yH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	4f61c23cd1d2ac20b28846f15005c206.exe

Executes dropped EXE 1 IoCs

pid	Process
4384	1413bade-7f9d-4546-adc5-a37927a7e671.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3556	4f61c23cd1d2ac20b28846f15005c206.exe
3556	4f61c23cd1d2ac20b28846f15005c206.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3556	4f61c23cd1d2ac20b28846f15005c206.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 4384	3556	4f61c23cd1d2ac20b28846f15005c206.exe	89
PID 3556 wrote to memory of 4384	3556	4f61c23cd1d2ac20b28846f15005c206.exe	89
PID 3556 wrote to memory of 4384	3556	4f61c23cd1d2ac20b28846f15005c206.exe	89

C:\Users\Admin\AppData\Local\Temp\4f61c23cd1d2ac20b28846f15005c206.exe
"C:\Users\Admin\AppData\Local\Temp\4f61c23cd1d2ac20b28846f15005c206.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Users\Admin\AppData\Local\Temp\1413bade-7f9d-4546-adc5-a37927a7e671.exe
  "C:\Users\Admin\AppData\Local\Temp\1413bade-7f9d-4546-adc5-a37927a7e671.exe"
  2⤵
  - Executes dropped EXE
  PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1413bade-7f9d-4546-adc5-a37927a7e671.exe

Filesize
4KB

MD5
f80fa38d37eb2d1d1d3aec66003b5780

SHA1
fd5e87fe12df96def7ec3823744c063ecbcf653d

SHA256
eec418db69eab627d827a3d1b416ab5960af88ccde836a139f9c9c11d5556f55

SHA512
3c1b9cf19759e80427cd81c53558f031ec0f404fdedf984f7a6635fadb64451a7a59ae4de16a41e4f508541c15e2a7dffcd65eb09cbc3eec442783e5d5a955d9

Download Submit
memory/3556-0-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/3556-2-0x00007FFEC48E0000-0x00007FFEC53A1000-memory.dmp

Filesize
10.8MB

Download
memory/3556-12-0x000000001C360000-0x000000001C370000-memory.dmp

Filesize
64KB

Download
memory/3556-18-0x00007FFEC48E0000-0x00007FFEC53A1000-memory.dmp

Filesize
10.8MB

Download
memory/3556-19-0x000000001C360000-0x000000001C370000-memory.dmp

Filesize
64KB

Download
memory/4384-14-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/4384-15-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/4384-17-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download