8d33421d8f55c2d5d88243f4e4181df691a9602f1c14fae1407aeaf7370751ac

Analysis

max time kernel
186s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6644075ef4ba5b9126bb275b74b5560e.exe
Size

49KB
MD5

6644075ef4ba5b9126bb275b74b5560e
SHA1

e63dafe3cbffadd8403e1a75d70423e80093daf8
SHA256

8d33421d8f55c2d5d88243f4e4181df691a9602f1c14fae1407aeaf7370751ac
SHA512

4877572dba4cab9e38ef3d43f0261949193f16fab873bbe58f363e83cd664fc19d32a6c49c5a429caed3e0a120c38b1d9e71ccf112c22e428d3f611464ea9355
SSDEEP

768:EyW1yBtObv0U/xwPp0EoooiYECG2nZF5sZVcmx3J:24Bobv7aB0EooYEC3rUVcY3J

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	6644075ef4ba5b9126bb275b74b5560e.exe

Executes dropped EXE 1 IoCs

pid	Process
1268	zbhnd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 1268	2984	6644075ef4ba5b9126bb275b74b5560e.exe	89
PID 2984 wrote to memory of 1268	2984	6644075ef4ba5b9126bb275b74b5560e.exe	89
PID 2984 wrote to memory of 1268	2984	6644075ef4ba5b9126bb275b74b5560e.exe	89

C:\Users\Admin\AppData\Local\Temp\6644075ef4ba5b9126bb275b74b5560e.exe
"C:\Users\Admin\AppData\Local\Temp\6644075ef4ba5b9126bb275b74b5560e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
  "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
  2⤵
  - Executes dropped EXE
  PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

Filesize
49KB

MD5
54ab761c01ac85ac6c389200f729f7d7

SHA1
a38149840342b88b1bb598e5a486d4e31e1f9935

SHA256
6804a7df737631105e1572ca296412f7ac054933ae867329ae9a08027fe953ef

SHA512
b2c55ff6e366f695517edb8fa00b39710e25f365f7afdcf9663dbe6d09fdbe77f3face28ffc5ddbc48061a20340c24e082d630af63dff5dbbf6c3463276ea460

Download Submit
memory/1268-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2984-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2984-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download