36e926e4b29dd1f763b9e99518546447ca3afbaaae67861ac27933e5d607be3b

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 19:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7841911ea47607b89bbe7e560b8db0f4.exe
Size

3.4MB
MD5

7841911ea47607b89bbe7e560b8db0f4
SHA1

9389913c6861b9fa5bc4b4621278a81eae4e8fb4
SHA256

36e926e4b29dd1f763b9e99518546447ca3afbaaae67861ac27933e5d607be3b
SHA512

0468dd4bb51ee8842e62fde35d513ea02ddb64fb2a87642ce87fb02af3205d21e758d13b3816fa855eebab9fb4d3ea5e9999c74c87dc4a2b500727764999c5a3
SSDEEP

98304:1DP4rzp9/Bn9EbdY94qRaztW3kOLdCNnXZ4IWhxrnrYNy3R2D:qp1AZY94xpOkXKXhxrs6R4

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
32	3332	cmd.exe
36	3332	cmd.exe
41	3332	cmd.exe
43	3332	cmd.exe
44	3332	cmd.exe
60	3332	cmd.exe
65	3332	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	7841911ea47607b89bbe7e560b8db0f4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	qBQpJFKpmiE44.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qBQpJFKpmiE44.exe	7841911ea47607b89bbe7e560b8db0f4.exe

Executes dropped EXE 2 IoCs

pid	Process
4488	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3780	qBQpJFKpmiE44.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe
3332	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 556	4496	7841911ea47607b89bbe7e560b8db0f4.exe	87
PID 4496 wrote to memory of 556	4496	7841911ea47607b89bbe7e560b8db0f4.exe	87
PID 4496 wrote to memory of 556	4496	7841911ea47607b89bbe7e560b8db0f4.exe	87
PID 556 wrote to memory of 4488	556	7841911ea47607b89bbe7e560b8db0f4.exe	94
PID 556 wrote to memory of 4488	556	7841911ea47607b89bbe7e560b8db0f4.exe	94
PID 556 wrote to memory of 4488	556	7841911ea47607b89bbe7e560b8db0f4.exe	94
PID 4488 wrote to memory of 3780	4488	qBQpJFKpmiE44.exe	95
PID 4488 wrote to memory of 3780	4488	qBQpJFKpmiE44.exe	95
PID 4488 wrote to memory of 3780	4488	qBQpJFKpmiE44.exe	95
PID 3780 wrote to memory of 3332	3780	qBQpJFKpmiE44.exe	99
PID 3780 wrote to memory of 3332	3780	qBQpJFKpmiE44.exe	99
PID 3780 wrote to memory of 3332	3780	qBQpJFKpmiE44.exe	99
PID 3780 wrote to memory of 3332	3780	qBQpJFKpmiE44.exe	99
PID 3780 wrote to memory of 3332	3780	qBQpJFKpmiE44.exe	99

C:\Users\Admin\AppData\Local\Temp\7841911ea47607b89bbe7e560b8db0f4.exe
"C:\Users\Admin\AppData\Local\Temp\7841911ea47607b89bbe7e560b8db0f4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Local\Temp\7841911ea47607b89bbe7e560b8db0f4.exe
  "C:\Users\Admin\AppData\Local\Temp\7841911ea47607b89bbe7e560b8db0f4.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qBQpJFKpmiE44.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qBQpJFKpmiE44.exe" "C:\Users\Admin\AppData\Local\Temp\7841911ea47607b89bbe7e560b8db0f4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qBQpJFKpmiE44.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qBQpJFKpmiE44.exe" "C:\Users\Admin\AppData\Local\Temp\7841911ea47607b89bbe7e560b8db0f4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3780
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qBQpJFKpmiE44.exe

Filesize
3.2MB

MD5
89aa57a132ce76bf47dbb15a8ed2138b

SHA1
1fbcd3d4b752ef130c4a51a2ca8940e2208a4da9

SHA256
9b776d55cf2024f096ecab49175e671bd903f5b447ab1c18693133c6f3a9f22f

SHA512
39337e3078fc1ef0297a05b09f550d856797e8eb80631b3273845b9425fff84f28fd3b269231900482262d37d0f1d9eebe8fd18950bbb0e35510f53ef3351545

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qBQpJFKpmiE44.exe

Filesize
3.4MB

MD5
6eb8f16279903eca313c4cff63048c25

SHA1
b3a5aea85ef13172f93f369ce600065f0c7468fa

SHA256
d36280ad571fa57583d6c2d2fc7fd89554e0cd5cedf211cceedfac38f6922fc3

SHA512
6e4f9438b2565d4707db09f03d0fc948f0fb2d334f65e4d017ffa4ace673ea14c6c7e14ce7132ddf52fc5865eb6b4ed01ed0a178d42d2eb8eb155ac065f84afe

Download Submit
memory/556-1-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/556-2-0x0000000002A00000-0x0000000002A9E000-memory.dmp

Filesize
632KB

Download
memory/556-18-0x0000000002A00000-0x0000000002A9E000-memory.dmp

Filesize
632KB

Download
memory/556-6-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3332-47-0x0000000005E80000-0x0000000005F6A000-memory.dmp

Filesize
936KB

Download
memory/3332-38-0x0000000077B22000-0x0000000077B23000-memory.dmp

Filesize
4KB

Download
memory/3332-58-0x0000000008BD0000-0x0000000008F64000-memory.dmp

Filesize
3.6MB

Download
memory/3332-57-0x0000000005F70000-0x0000000006017000-memory.dmp

Filesize
668KB

Download
memory/3332-56-0x0000000009200000-0x000000000940B000-memory.dmp

Filesize
2.0MB

Download
memory/3332-55-0x0000000005220000-0x00000000052DD000-memory.dmp

Filesize
756KB

Download
memory/3332-54-0x00000000050F0000-0x0000000005139000-memory.dmp

Filesize
292KB

Download
memory/3332-53-0x0000000008BD0000-0x0000000008F64000-memory.dmp

Filesize
3.6MB

Download
memory/3332-52-0x0000000005F70000-0x0000000006017000-memory.dmp

Filesize
668KB

Download
memory/3332-51-0x0000000003990000-0x0000000003991000-memory.dmp

Filesize
4KB

Download
memory/3332-50-0x00000000017E0000-0x000000000187E000-memory.dmp

Filesize
632KB

Download
memory/3332-26-0x0000000001660000-0x00000000016F9000-memory.dmp

Filesize
612KB

Download
memory/3332-49-0x0000000009200000-0x000000000940B000-memory.dmp

Filesize
2.0MB

Download
memory/3332-48-0x0000000005220000-0x00000000052DD000-memory.dmp

Filesize
756KB

Download
memory/3332-31-0x00000000017E0000-0x000000000187E000-memory.dmp

Filesize
632KB

Download
memory/3332-32-0x0000000077B22000-0x0000000077B23000-memory.dmp

Filesize
4KB

Download
memory/3332-33-0x0000000077B22000-0x0000000077B23000-memory.dmp

Filesize
4KB

Download
memory/3332-34-0x0000000077B22000-0x0000000077B23000-memory.dmp

Filesize
4KB

Download
memory/3332-35-0x0000000003990000-0x0000000003991000-memory.dmp

Filesize
4KB

Download
memory/3332-36-0x0000000077B22000-0x0000000077B23000-memory.dmp

Filesize
4KB

Download
memory/3332-37-0x0000000077B22000-0x0000000077B23000-memory.dmp

Filesize
4KB

Download
memory/3332-46-0x0000000005140000-0x00000000051BE000-memory.dmp

Filesize
504KB

Download
memory/3332-39-0x0000000077B22000-0x0000000077B23000-memory.dmp

Filesize
4KB

Download
memory/3332-40-0x0000000077B22000-0x0000000077B23000-memory.dmp

Filesize
4KB

Download
memory/3332-41-0x00000000017E0000-0x000000000187E000-memory.dmp

Filesize
632KB

Download
memory/3332-42-0x00000000017E0000-0x000000000187E000-memory.dmp

Filesize
632KB

Download
memory/3332-43-0x00000000017E0000-0x000000000187E000-memory.dmp

Filesize
632KB

Download
memory/3332-44-0x00000000050F0000-0x0000000005139000-memory.dmp

Filesize
292KB

Download
memory/3332-45-0x0000000004EC0000-0x0000000004EE1000-memory.dmp

Filesize
132KB

Download
memory/3780-23-0x0000000077B22000-0x0000000077B23000-memory.dmp

Filesize
4KB

Download
memory/3780-28-0x0000000000A60000-0x0000000000AFE000-memory.dmp

Filesize
632KB

Download
memory/3780-27-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3780-25-0x0000000077B22000-0x0000000077B23000-memory.dmp

Filesize
4KB

Download
memory/3780-21-0x0000000077B22000-0x0000000077B23000-memory.dmp

Filesize
4KB

Download
memory/3780-22-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/3780-20-0x0000000077B22000-0x0000000077B23000-memory.dmp

Filesize
4KB

Download
memory/3780-19-0x0000000000A60000-0x0000000000AFE000-memory.dmp

Filesize
632KB

Download
memory/3780-17-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4488-24-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4488-12-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4496-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4496-3-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download