a20fe7a4a41a3db3aa49080cbac311212e787daae5dc6ea2fdea7caa8022e6ca

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 22:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

70af8a60f12cf231437bad783000b77a.exe
Size

77KB
MD5

70af8a60f12cf231437bad783000b77a
SHA1

e3174295c14cb86cd0daed705236e411cbc594b8
SHA256

a20fe7a4a41a3db3aa49080cbac311212e787daae5dc6ea2fdea7caa8022e6ca
SHA512

8893d2a798a9f997d73795f95e3d7a26502c881ac4a22001d93496f52521c10342837533250a2e6e88574dd73a4b6de67d7e850358c820acff7b8febc1c39279
SSDEEP

1536:AiQgzHtbdeQi4C9bnWe7z9EQ3G2e7JqSbk4p:lQgzHzCNhWSGXVqz4p

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	70af8a60f12cf231437bad783000b77a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 5104	748	70af8a60f12cf231437bad783000b77a.exe	88
PID 748 wrote to memory of 5104	748	70af8a60f12cf231437bad783000b77a.exe	88
PID 748 wrote to memory of 5104	748	70af8a60f12cf231437bad783000b77a.exe	88

C:\Users\Admin\AppData\Local\Temp\70af8a60f12cf231437bad783000b77a.exe
"C:\Users\Admin\AppData\Local\Temp\70af8a60f12cf231437bad783000b77a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Bhv..bat" > nul 2> nul
  2⤵
  PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bhv..bat

Filesize
210B

MD5
c6ea61351784bc70f625a3188f0f6e8a

SHA1
09164e19dd95fd5ae6435a4192bcefeb524d99fa

SHA256
b0c912695608e4bad09d5ccad79fc0d3cd1ccb66041c5e5e5c2e0f5368ef113f

SHA512
6ff650c9e89a4f12381c60fe4524ee6175350170c21d529fc2bb6d3eb482b5ebbb6152e78286567d4be6e0a1d9abce8ac2aa32aa48c2030602392b9c19e27fba

Download Submit
memory/748-0-0x00000000021A0000-0x00000000021BC000-memory.dmp

Filesize
112KB

Download
memory/748-1-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/748-2-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/748-4-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download