404f251747bd266402a87c4070a1795380cb28c3304b476ddace5be3aed64617

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
15/01/2024, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

598010142c07fa2355dc2c8a0b747fae.exe
Size

535KB
MD5

598010142c07fa2355dc2c8a0b747fae
SHA1

45b66add33a02e81e0b911b4098bfd5ec6d2b795
SHA256

404f251747bd266402a87c4070a1795380cb28c3304b476ddace5be3aed64617
SHA512

f96370597721be85c397871fea242f2ff1b414578dc90393e2bc163f6805aa229228ec7891895010b106c0638eb4d101d00ad8252c184e5de94a3e016e560d6b
SSDEEP

12288:si4g+yU+0pAiv+nzWBYbhcK2qVpZoRt3UIVlzTWXZirTFxUlvjosTdcG93Dn:si4gXn0pD+CBihNZTmR6slzT60UlvjRZ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	398E.tmp

Executes dropped EXE 2 IoCs

pid	Process
396	398E.tmp
4956	598010142c07fa2355dc2c8a0b747fae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
396	398E.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4576	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 396	2076	598010142c07fa2355dc2c8a0b747fae.exe	89
PID 2076 wrote to memory of 396	2076	598010142c07fa2355dc2c8a0b747fae.exe	89
PID 2076 wrote to memory of 396	2076	598010142c07fa2355dc2c8a0b747fae.exe	89
PID 396 wrote to memory of 4956	396	398E.tmp	94
PID 396 wrote to memory of 4956	396	398E.tmp	94
PID 396 wrote to memory of 4956	396	398E.tmp	94

C:\Users\Admin\AppData\Local\Temp\598010142c07fa2355dc2c8a0b747fae.exe
"C:\Users\Admin\AppData\Local\Temp\598010142c07fa2355dc2c8a0b747fae.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\398E.tmp
  "C:\Users\Admin\AppData\Local\Temp\398E.tmp" --helpC:\Users\Admin\AppData\Local\Temp\598010142c07fa2355dc2c8a0b747fae.exe 9148D2D2756FDA89462492AC9790603D4ECA155BF70211FE33A962552E5176BBD4DF6A7A21C18E83BD909BBF4FFE73464D531AFA0AB216DD0A010D3B202B05D9
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\598010142c07fa2355dc2c8a0b747fae.exe
    "C:\Users\Admin\AppData\Local\Temp\598010142c07fa2355dc2c8a0b747fae.exe"
    3⤵
    - Executes dropped EXE
    PID:4956

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\398E.tmp

Filesize
535KB

MD5
037badee1fc2584e898dfd1f32078fcb

SHA1
7b263fe7532bf7a07b5eb0f28548ceeef4389949

SHA256
e319ef43e5f5314c50f8945c4476a1a6a2d789f565d8e8003858ac804eac9c1a

SHA512
20d1b37845b897c5a0ac7801a24c14c00ebe2d8db567c8bd128d4131af00aa8e09f669b40a490672f0d092fc61b361c4555a911a1e3d6cff14d4d60ea7d21bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\598010142c07fa2355dc2c8a0b747fae.exe

Filesize
255KB

MD5
b7fd76103054f562a11ce616d50a0611

SHA1
7473656e5a33b9ecc401985f917f65054bcbd16c

SHA256
aba5c0bff0442597ff8743b4fe7d28de945b78be01eb88fc4a95cadd1fbee409

SHA512
2a2996476dbfdcd50c39c08dc91a179eff4f016013707c9c0972c6e7a0e179b9da4fcff5e2d4d4883a31312bfefdb9a88d1490e1baaa4728a516c5c7f7bdfbd2

Download Submit
memory/4576-12-0x0000020195150000-0x0000020195160000-memory.dmp

Filesize
64KB

Download
memory/4576-28-0x0000020195250000-0x0000020195260000-memory.dmp

Filesize
64KB

Download
memory/4576-44-0x000002019D5C0000-0x000002019D5C1000-memory.dmp

Filesize
4KB

Download
memory/4576-48-0x000002019D700000-0x000002019D701000-memory.dmp

Filesize
4KB

Download
memory/4576-47-0x000002019D5F0000-0x000002019D5F1000-memory.dmp

Filesize
4KB

Download
memory/4576-46-0x000002019D5F0000-0x000002019D5F1000-memory.dmp

Filesize
4KB

Download