ecf336470333f976ecb38f31f28af401b94589d816ee27d10a028a6c36c0cb86

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5510ca04908eb2936a0c5adfa4be2dc3.exe
Size

53KB
MD5

5510ca04908eb2936a0c5adfa4be2dc3
SHA1

bdf38775de1a1688b263c06d90623a00a388affb
SHA256

ecf336470333f976ecb38f31f28af401b94589d816ee27d10a028a6c36c0cb86
SHA512

e3b929bf8de9494e162fcf66ca2a2a15aff55370056a30a63da683757294de615a71ef153014c38a9eae85f2d30bbb1d570a8755cec4f91a9e7cec7a97866b52
SSDEEP

1536:P57caXaF3mMtz85m2DSeePOyyezqabAaqzJ+4okbo:BaFV6ReLA/E4okbo

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	5510ca04908eb2936a0c5adfa4be2dc3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\braviax = "C:\\Windows\\system32\\braviax.exe"	5510ca04908eb2936a0c5adfa4be2dc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax = "C:\\Windows\\system32\\braviax.exe"	5510ca04908eb2936a0c5adfa4be2dc3.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\braviax.exe	5510ca04908eb2936a0c5adfa4be2dc3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 4900	2360	5510ca04908eb2936a0c5adfa4be2dc3.exe	91
PID 2360 wrote to memory of 4900	2360	5510ca04908eb2936a0c5adfa4be2dc3.exe	91
PID 2360 wrote to memory of 4900	2360	5510ca04908eb2936a0c5adfa4be2dc3.exe	91

C:\Users\Admin\AppData\Local\Temp\5510ca04908eb2936a0c5adfa4be2dc3.exe
"C:\Users\Admin\AppData\Local\Temp\5510ca04908eb2936a0c5adfa4be2dc3.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat" "
  2⤵
  PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
202B

MD5
7d148e7676cc37aa40cddba8f97c5cb5

SHA1
736ee16ce28fcf0e5019513ed05ae32c7c099d73

SHA256
80cf64c98ccb3c0a5bf670fc250d253ae9a3ab2894fed45e8fc88aa3ff10046a

SHA512
67781b5ca52585029e58ffc738a1f1893a7b70021d1476f13c4a67c94f8608a2ffad0dec2615379c236f7e2835a8c1cd9a7924585ffc77178bbbdb9bb3992513

Download Submit
memory/2360-0-0x0000000000870000-0x000000000087D000-memory.dmp

Filesize
52KB

Download
memory/2360-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads