058f442d5447d33373a3b06e1ea706cb17fac82dc520601a3181cfbf3b81c6d6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59692698ab3f4e560a790a822d02f80c.exe
Size

100KB
MD5

59692698ab3f4e560a790a822d02f80c
SHA1

016067a5ff2d8fe94b04054714038e57c31f8f2f
SHA256

058f442d5447d33373a3b06e1ea706cb17fac82dc520601a3181cfbf3b81c6d6
SHA512

3e259df170b1ec725c33ed97209c5cf8b03a15ced7bf66af70ebb0890bba48cdee2edf2da8b04901ccc4f60f4bf319ac9e2de1300c733c12a1b1bbbfc36db984
SSDEEP

1536:5V/Vvwrb/4ecaypzb7fmhE4Bd97fB5168y5cFkmg/8s:5Vlyb/5chpzbcEEPrBPLy+Tg/J

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	59692698ab3f4e560a790a822d02f80c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3648	2776	59692698ab3f4e560a790a822d02f80c.exe	34
PID 2776 wrote to memory of 3648	2776	59692698ab3f4e560a790a822d02f80c.exe	34
PID 2776 wrote to memory of 3648	2776	59692698ab3f4e560a790a822d02f80c.exe	34

C:\Users\Admin\AppData\Local\Temp\59692698ab3f4e560a790a822d02f80c.exe
"C:\Users\Admin\AppData\Local\Temp\59692698ab3f4e560a790a822d02f80c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Zpv..bat" > nul 2> nul
  2⤵
  PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Zpv..bat

Filesize
210B

MD5
d89761e4c67fcfb6af90e7e6c9232264

SHA1
6ca86da283de6c704e7217fbd59d4c513ae12952

SHA256
da6171709af83d10719996b41d7614421ecfd8e628d3fd91388f890cb3c0db54

SHA512
d56b69532d88c98340a5f36fc4b26de52970b5961ad65e4c9a40c96dd6f4beb9fc6e28889f5d3dd370844ce8ce13477e76f05565a10ffe188e2ececb0696b100

Download Submit
memory/2776-0-0x0000000000580000-0x000000000059B000-memory.dmp

Filesize
108KB

Download
memory/2776-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2776-3-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download