769375b3c116f876eda9524f71feb8597bceb41fb1e81b8b336b630bd7bd2e53

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54bbdcd0199c544a09b5f4c5fc92500a.exe
Size

65KB
MD5

54bbdcd0199c544a09b5f4c5fc92500a
SHA1

b945234317c135969d62642b800070c11c5d894d
SHA256

769375b3c116f876eda9524f71feb8597bceb41fb1e81b8b336b630bd7bd2e53
SHA512

9c8085251f54fd69f9952c94ebca29159a657b9ebb638e99287b88af88d97bacbdfda92756ee16a44ead7476f56e21667309ec8f1851d461a8cb20e61aec0733
SSDEEP

1536:WZFJTafg3hnfq4yyFB1iRT9bPKzvcOZ70AKgsu:2FGgRfqIx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	54bbdcd0199c544a09b5f4c5fc92500a.exe

Executes dropped EXE 1 IoCs

pid	Process
2440	retro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2440	1624	54bbdcd0199c544a09b5f4c5fc92500a.exe	93
PID 1624 wrote to memory of 2440	1624	54bbdcd0199c544a09b5f4c5fc92500a.exe	93
PID 1624 wrote to memory of 2440	1624	54bbdcd0199c544a09b5f4c5fc92500a.exe	93

C:\Users\Admin\AppData\Local\Temp\54bbdcd0199c544a09b5f4c5fc92500a.exe
"C:\Users\Admin\AppData\Local\Temp\54bbdcd0199c544a09b5f4c5fc92500a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\retro.exe
  "C:\Users\Admin\AppData\Local\Temp\retro.exe"
  2⤵
  - Executes dropped EXE
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\retro.exe

Filesize
65KB

MD5
57f88c49fd671b3c61454ec68dbff7c8

SHA1
67b2798f01dc22dd2fde4c8963a2a6d073a6c86c

SHA256
aed85d32ac896d9051433d083cf08d52db29f752c023bfeb43abc598ea2b5e0b

SHA512
c65a03493e6ec56a606fcd9cdacff236189754dd2d3730b1fb98e21d2ea7b410a6bca1fc6584d4ffe07c7b6ed88ca36f93c2b7c0189f8be807d5259516cf2ff5

Download Submit
memory/1624-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1624-1-0x00000000021E0000-0x00000000021E6000-memory.dmp

Filesize
24KB

Download
memory/1624-2-0x00000000021E0000-0x00000000021E6000-memory.dmp

Filesize
24KB

Download
memory/1624-3-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2440-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2440-26-0x0000000002190000-0x0000000002196000-memory.dmp

Filesize
24KB

Download
memory/2440-48-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download