bddc18d4d1693fa2c464fc24196fe89a930b3019fa7b751a58856a5752b4a338

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

737abcad33814da26b25a43e6851fca8.exe
Size

72KB
MD5

737abcad33814da26b25a43e6851fca8
SHA1

57f45e5c1f2aacf8db5cce882a96eb2598e4f490
SHA256

bddc18d4d1693fa2c464fc24196fe89a930b3019fa7b751a58856a5752b4a338
SHA512

ce6ea5ce6c984f873a6ebd8922d81d58b886e87a6a2115b62aff975b1e504f841f12af59e4082e7ac471b6eb4a48e58dc2069f22f888da747adf9d3d18475c4d
SSDEEP

1536:WzeJL9ihxoI+rtyWASIC4qrFfpFF60a8U3/HN1t8rn7IPCFiR3fsk6+/vmjof:Wz/hxoI+rty+IjqrLa8UvNzLPjfsXo

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	737abcad33814da26b25a43e6851fca8.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2944-1-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/2944-3-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2944	737abcad33814da26b25a43e6851fca8.exe
2944	737abcad33814da26b25a43e6851fca8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 860	2944	737abcad33814da26b25a43e6851fca8.exe	87
PID 2944 wrote to memory of 860	2944	737abcad33814da26b25a43e6851fca8.exe	87
PID 2944 wrote to memory of 860	2944	737abcad33814da26b25a43e6851fca8.exe	87

C:\Users\Admin\AppData\Local\Temp\737abcad33814da26b25a43e6851fca8.exe
"C:\Users\Admin\AppData\Local\Temp\737abcad33814da26b25a43e6851fca8.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Srb..bat" > nul 2> nul
  2⤵
  PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Srb..bat

Filesize
210B

MD5
fc6d6ea1b6668d912558b98b3e1f70b7

SHA1
5c25ee58d956bac2f79322ec3bc90e17b384adfb

SHA256
1cf8050b73c12fb21eeb038b17dfd78b2ae9ac1e73c65c90931f73af3aea0cc2

SHA512
f2174e83b2bc6a2d21453a1c318bebf115cdeef3db8b370f96c3cd82bfa2c6fc5e1e6bce9d15cfa10d776c68cabe9961b87b4bfb03d32fdaa02587d395d79046

Download Submit
memory/2944-0-0x00000000005D0000-0x00000000005D3000-memory.dmp

Filesize
12KB

Download
memory/2944-1-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2944-3-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download