8ade2070b8a527d59b2ab9c16de81449f368f286b7a826ee33f2182701cf7447

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77fa451708d26a3f3ed7f8e8cd448a5d.exe
Size

1.1MB
MD5

77fa451708d26a3f3ed7f8e8cd448a5d
SHA1

dbb910ce9121220c4baae79884ebfbf7ce86e632
SHA256

8ade2070b8a527d59b2ab9c16de81449f368f286b7a826ee33f2182701cf7447
SHA512

344e8b4d2544499882bab0d933777b0b4380cde8640288d0084989bbd42eb29093bb2f0a916b2585608197af17d7f817176c50433a16c396f0d31830e1aa95a1
SSDEEP

24576:lUXvfNa2/Bjq8y+DtBkRollGQdKnWYwP1Am6xoaF+0OHB4XY513Vd0ZkA:lq/B+8yiDllEQA+uy/hHBOY51ekA

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
35	2020	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	77fa451708d26a3f3ed7f8e8cd448a5d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
2488	e585946.exe

Loads dropped DLL 2 IoCs

pid	Process
2020	rundll32.exe
2020	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5484	2488	WerFault.exe	98

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 2020	5016	77fa451708d26a3f3ed7f8e8cd448a5d.exe	87
PID 5016 wrote to memory of 2020	5016	77fa451708d26a3f3ed7f8e8cd448a5d.exe	87
PID 5016 wrote to memory of 2020	5016	77fa451708d26a3f3ed7f8e8cd448a5d.exe	87
PID 2020 wrote to memory of 2488	2020	rundll32.exe	98
PID 2020 wrote to memory of 2488	2020	rundll32.exe	98
PID 2020 wrote to memory of 2488	2020	rundll32.exe	98

C:\Users\Admin\AppData\Local\Temp\77fa451708d26a3f3ed7f8e8cd448a5d.exe
"C:\Users\Admin\AppData\Local\Temp\77fa451708d26a3f3ed7f8e8cd448a5d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" .\JWSQ16.z sxsC
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\e585946.exe
    "C:\Users\Admin\AppData\Local\Temp\e585946.exe"
    3⤵
    - Executes dropped EXE
    PID:2488
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 804
      4⤵
      Program crash
      PID:5484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2488 -ip 2488
1⤵
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JWSQ16.z

Filesize
1.2MB

MD5
371f44551edf257371a2ab7e70ef9bfd

SHA1
6dad5ae9d0cca8bc9d2d8cb76e8cdd4d7384f375

SHA256
680264905bcd27b0629bfe6b506c1ba2f2239c94636900f9ddc22e34372cbde4

SHA512
0ef3c23108e16828f5fb7aee61bd32278d9ed8c0ff3330f51f713604948382745b75d014d807d82f484cde03989a3f97e7639983754006b8bae1ebb8074710b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e585946.exe

Filesize
21KB

MD5
858939a54a0406e5be7220b92b6eb2b3

SHA1
da24c0b6f723a74a8ec59e58c9c0aea3e86b7109

SHA256
a30f30a109cb78d5eb1969f6c13f01a1e0a5f07b7ad8b133f5d2616223c1ce0a

SHA512
8875d1e43ea59314695747796894a2f171e92f7b04024dbc529af1497331489e279cd06ea03061288089d2f07ad437178b9d62f0bae2e16ae0b95c5681569401

Download Submit
memory/2020-16-0x0000000003410000-0x00000000034AA000-memory.dmp

Filesize
616KB

Download
memory/2020-18-0x0000000003FB0000-0x0000000004044000-memory.dmp

Filesize
592KB

Download
memory/2020-8-0x0000000003280000-0x0000000003335000-memory.dmp

Filesize
724KB

Download
memory/2020-9-0x0000000003350000-0x00000000033FE000-memory.dmp

Filesize
696KB

Download
memory/2020-10-0x0000000003410000-0x00000000034AA000-memory.dmp

Filesize
616KB

Download
memory/2020-13-0x0000000003410000-0x00000000034AA000-memory.dmp

Filesize
616KB

Download
memory/2020-14-0x00000000028E0000-0x0000000002A1E000-memory.dmp

Filesize
1.2MB

Download
memory/2020-17-0x00000000034B0000-0x0000000003FAE000-memory.dmp

Filesize
11.0MB

Download
memory/2020-6-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/2020-7-0x00000000030E0000-0x00000000031B1000-memory.dmp

Filesize
836KB

Download
memory/2020-23-0x0000000004060000-0x00000000040EE000-memory.dmp

Filesize
568KB

Download
memory/2020-20-0x0000000004060000-0x00000000040EE000-memory.dmp

Filesize
568KB

Download
memory/2020-24-0x0000000000B30000-0x0000000000B34000-memory.dmp

Filesize
16KB

Download
memory/2020-25-0x0000000000B40000-0x0000000000B46000-memory.dmp

Filesize
24KB

Download
memory/2020-27-0x0000000003280000-0x0000000003335000-memory.dmp

Filesize
724KB

Download
memory/2020-5-0x00000000028E0000-0x0000000002A1E000-memory.dmp

Filesize
1.2MB

Download
memory/2488-42-0x0000000072AB0000-0x0000000073260000-memory.dmp

Filesize
7.7MB

Download
memory/2488-41-0x0000000000110000-0x0000000000118000-memory.dmp

Filesize
32KB

Download
memory/2488-44-0x0000000072AB0000-0x0000000073260000-memory.dmp

Filesize
7.7MB

Download