Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:21
Static task
static1
Behavioral task
behavioral1
Sample
74f4d21c3c646d1f2ed34b1b3c4486a9.exe
Resource
win7-20231129-en
General
-
Target
74f4d21c3c646d1f2ed34b1b3c4486a9.exe
-
Size
48KB
-
MD5
74f4d21c3c646d1f2ed34b1b3c4486a9
-
SHA1
ef8c109f37c92cf22dc09ad4123fcf2595025450
-
SHA256
08563576ca859f28436fcc3e2d7c30f8573a007879825d5150eb47a73325299f
-
SHA512
4b1b366cba014025103d3b22b08abde33ebfe1e02282f45a0ab754f22d0e1fcffd453cefb9e752816eae5bca96003f49d884354781e8203f9b4fb1d6096ba366
-
SSDEEP
768:EyW1yBtObv0U/xwPp0EoooiYECG2nZF5sZVcmxa:24Bobv7aB0EooYEC3rUVcYa
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
74f4d21c3c646d1f2ed34b1b3c4486a9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 74f4d21c3c646d1f2ed34b1b3c4486a9.exe -
Executes dropped EXE 1 IoCs
Processes:
zbhnd.exepid process 2920 zbhnd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
74f4d21c3c646d1f2ed34b1b3c4486a9.exedescription pid process target process PID 1052 wrote to memory of 2920 1052 74f4d21c3c646d1f2ed34b1b3c4486a9.exe zbhnd.exe PID 1052 wrote to memory of 2920 1052 74f4d21c3c646d1f2ed34b1b3c4486a9.exe zbhnd.exe PID 1052 wrote to memory of 2920 1052 74f4d21c3c646d1f2ed34b1b3c4486a9.exe zbhnd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74f4d21c3c646d1f2ed34b1b3c4486a9.exe"C:\Users\Admin\AppData\Local\Temp\74f4d21c3c646d1f2ed34b1b3c4486a9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"2⤵
- Executes dropped EXE
PID:2920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zbhnd.exeFilesize
48KB
MD5a7dd4ac4c22a3fa6c3bce3929c4562ee
SHA14be14292721390fb15e62637af50d4d497952aca
SHA2560aedf2ff4f0e3de55b5868bd07adfc3eebd249a119d59fdbea1d9c7670fc2207
SHA51291e6f083498180bd9acf40b3f2dfcad501a43c93e5af01e8913366722bff8a6287933bb68126d48b3c4c2175a56b8563c7bbedd40817a0b671ec0c8c23124d9b
-
memory/1052-0-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1052-1-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2920-14-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB