83ed08f7701b6e397d46fa3ea9e381625625b7e3933f2c0f5e454bb9c309e24f

Analysis

max time kernel
90s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2024 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fbc13ce46257b3c10123fd06c2a1766.exe
Size

929KB
MD5

6fbc13ce46257b3c10123fd06c2a1766
SHA1

0c6b67422f0cb8bcf0a5a7b0d463f8b6c012d4fb
SHA256

83ed08f7701b6e397d46fa3ea9e381625625b7e3933f2c0f5e454bb9c309e24f
SHA512

ba9f6692fc1af0d39748f08f0b51daba0099803e24543af0e5e91c65507afa0ee8258795766ce11f8a6fa031d2b8a24be2ed8619a0195aa78afdd4f0c247ea66
SSDEEP

24576:1tjOMEWc7JCrA1H0qxA2+a9KEKGWrEWJCi3uXDMSqDr:1QMEWc7+3Ra9KFPHuXq/

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	internal6fbc13ce46257b3c10123fd06c2a1766.exe

Executes dropped EXE 1 IoCs

pid	Process
4876	internal6fbc13ce46257b3c10123fd06c2a1766.exe

Loads dropped DLL 1 IoCs

pid	Process
2668	6fbc13ce46257b3c10123fd06c2a1766.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4876	internal6fbc13ce46257b3c10123fd06c2a1766.exe
4876	internal6fbc13ce46257b3c10123fd06c2a1766.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4876	internal6fbc13ce46257b3c10123fd06c2a1766.exe
4876	internal6fbc13ce46257b3c10123fd06c2a1766.exe
4876	internal6fbc13ce46257b3c10123fd06c2a1766.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 4876	2668	6fbc13ce46257b3c10123fd06c2a1766.exe	85
PID 2668 wrote to memory of 4876	2668	6fbc13ce46257b3c10123fd06c2a1766.exe	85
PID 2668 wrote to memory of 4876	2668	6fbc13ce46257b3c10123fd06c2a1766.exe	85
PID 4876 wrote to memory of 4868	4876	internal6fbc13ce46257b3c10123fd06c2a1766.exe	95
PID 4876 wrote to memory of 4868	4876	internal6fbc13ce46257b3c10123fd06c2a1766.exe	95
PID 4876 wrote to memory of 4868	4876	internal6fbc13ce46257b3c10123fd06c2a1766.exe	95

C:\Users\Admin\AppData\Local\Temp\6fbc13ce46257b3c10123fd06c2a1766.exe
"C:\Users\Admin\AppData\Local\Temp\6fbc13ce46257b3c10123fd06c2a1766.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\nsm4A98.tmp\internal6fbc13ce46257b3c10123fd06c2a1766.exe
  C:\Users\Admin\AppData\Local\Temp\nsm4A98.tmp\internal6fbc13ce46257b3c10123fd06c2a1766.exe /baseInstaller='C:/Users/Admin/AppData/Local/Temp/6fbc13ce46257b3c10123fd06c2a1766.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsm4A98.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\23585.bat" "C:\Users\Admin\AppData\Local\Temp\921B68F25AE349439550EFBCE0C03F44\""
    3⤵
    PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3791175113-1062217823-1177695025-1000\$IDGPBSI

Filesize
96B

MD5
948558114baa7e9673d521ef641432b5

SHA1
06413a21b4166ccb45de1dda35f3b5b40bd5d609

SHA256
752a927818306d46cd2d18db8d38cea678c87d753afffeafcf804c19e07b8e13

SHA512
b7d9a8c5c146d1c8db32ad2437fd8378d023fd186e8074b803fb480c66c6f48f70dd2710e029865c79ae2f376f0ccf5211d2ac16c1c8c379db4f819a10096abe

Download Submit
C:\$Recycle.Bin\S-1-5-21-3791175113-1062217823-1177695025-1000\$IOLW1B7

Filesize
98B

MD5
6cff98470d990e3e78b87faa39e21730

SHA1
b8e24efd0cf23685e5c76d5ed17219dae8a2f45a

SHA256
b447d8de08b5fecb0cdcade22443b96d2d42c8beb88cc66622e01214202f53d3

SHA512
5d90aa499fcc537d409783d719920b819f77ba70df44c99ca492f1d827640f2dce20415c6506f583bb1826c74c9dd18fe72f99621507973324a0f0de811e8b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\23585.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\921B68F25AE349439550EFBCE0C03F44\921B68F25AE349439550EFBCE0C03F44_LogFile.txt

Filesize
8KB

MD5
e3cef710d53543e541c351dea2ee97ae

SHA1
7bc7f6441fb1794cb853955d7ca75577db1edd60

SHA256
4edcb12261b718a329c578964b2151a9288d43b97c5343b4a04d93950ae24090

SHA512
e129c8e3fe88727464d556831c7768f773a2752c3b40442c0864447352470ca07efbf3f5be2f58a3e705f297ecc90adf827a6e2801930070c38c1d94384d0519

Download Submit
C:\Users\Admin\AppData\Local\Temp\921B68F25AE349439550EFBCE0C03F44\921B68~1.TXT

Filesize
110KB

MD5
178f2cff29a08ca77756ed1eb06d7ae8

SHA1
655f450a70a55c96b74677ce5a09aad23ead659e

SHA256
c56f0379174e01e993c5cf459edd2d8103f5ac571e0b14764dfba233b2bc291e

SHA512
30196c790623eae43d91615971e75c6754cbfb733d5641de31c4a738cd9b1a540e85ecbedef83c510dd49157512e98eb25fa00acbbe6368715f7e96df9f3acbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4A98.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4A98.tmp\internal6fbc13ce46257b3c10123fd06c2a1766.exe

Filesize
1.8MB

MD5
e220c1154b84b7118ed482383df9fbf1

SHA1
e38c74f47e0206cab9462ba14c6dac325b616d12

SHA256
229ce00a41376267cbd61b97cb587f98e711e612ecf0f27abcd6ba7773c88c87

SHA512
80829d91f9e63def316d9a939b4f062f39c2e64c19ed4ade0311496a69710440bfd0ca8fd52817b301956728297e63506dad431f508041d24a0097f961c88f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4A98.tmp\internal6fbc13ce46257b3c10123fd06c2a1766_icon.ico

Filesize
31KB

MD5
eec554d70735944a1bf70cbb2c3994c1

SHA1
1163cd11203af2c1861ae865523326d3030703ce

SHA256
62b1f196c385d93a5740e0d9f929200fbe56ff3f98234f09a003196f6a78b851

SHA512
bb57052319337ca306ab2e7e43b1a9c326e9eff8726edf0a569bd17c894f6681f9a9e3c29c9a5a7e5ff038dbf6a82e435991f21f64f808cb17877817873038ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4A98.tmp\internal6fbc13ce46257b3c10123fd06c2a1766_splash.png

Filesize
133KB

MD5
53cd76edf8ffb4fbf9685f7897070019

SHA1
e840f9c64493216194209fbcef1ce102f16d7263

SHA256
5f3f4d0c1ecc3b9505ed63b55450e598391cbb432fc060bdb08185c463a5c1b9

SHA512
36980728c9dd2abd341df4e373fc5831641ba408127765523ea5df1cf432c2cdd2e38d5f7fa187697dd744dc72700fe04330ef77fe4339277b6e76f276ece8bc

Download Submit
memory/2668-309-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4876-78-0x0000000003960000-0x0000000003961000-memory.dmp

Filesize
4KB

Download