73d9124054ea2a5db220408b0f3cf794d92984e06d1a1563cfd84e74fe302f6e

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6717242a21f10b17fceb30a6305912d9.exe
Size

94KB
MD5

6717242a21f10b17fceb30a6305912d9
SHA1

9aae99229972641184658e3ae834d3c83be98be3
SHA256

73d9124054ea2a5db220408b0f3cf794d92984e06d1a1563cfd84e74fe302f6e
SHA512

9b6a76bf12373894ef6f4f3f4ac3e3908817fb7a67ec62abf424fe025fbcd02be3f02c207719b9e12978adb4127417b4dd1ef9a08276d8c7183185934c33ab46
SSDEEP

1536:bfg+M2Y9oH+cpTKeyaI0Z/od8bDbRvU5yYeVYXrgITAGXBB3exYEjpepikFIy:bfgyY9oH+cTKGI0Z/oooeVYXrgI0GXW4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	6717242a21f10b17fceb30a6305912d9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 808	1992	6717242a21f10b17fceb30a6305912d9.exe	88
PID 1992 wrote to memory of 808	1992	6717242a21f10b17fceb30a6305912d9.exe	88
PID 1992 wrote to memory of 808	1992	6717242a21f10b17fceb30a6305912d9.exe	88

C:\Users\Admin\AppData\Local\Temp\6717242a21f10b17fceb30a6305912d9.exe
"C:\Users\Admin\AppData\Local\Temp\6717242a21f10b17fceb30a6305912d9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Qzj..bat" > nul 2> nul
  2⤵
  PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Qzj..bat

Filesize
210B

MD5
8ee2f3d5925fb1d515ce3c9e368f8f5e

SHA1
b8502824b365841b9162ced8a1141acf3b9c6e89

SHA256
f30e50bc035507827c8afa1d3e92dd1cbaa8bb850e377dbb6b33e44eb2d8224d

SHA512
724e6c7b6ed42879167ba9451b59ab5154b8ef37b7d7b75f2f909a332b76f39a6e9da8f319978447428ca04dc8af247463b49b5299c46633b68efeed068f871c

Download Submit
memory/1992-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1992-1-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1992-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1992-3-0x00000000021F0000-0x000000000220B000-memory.dmp

Filesize
108KB

Download
memory/1992-4-0x00000000021F0000-0x000000000220B000-memory.dmp

Filesize
108KB

Download
memory/1992-6-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1992-7-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download