bb22907766b1fc94cca3fe5c6dc8b21592cce538d8ce13d246fef06f971852ed

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7858ffe38e7c9fdddb27580454fe27b2.exe
Size

28KB
MD5

7858ffe38e7c9fdddb27580454fe27b2
SHA1

f629fdca0f6059afde407adc6e5d08088c5dd321
SHA256

bb22907766b1fc94cca3fe5c6dc8b21592cce538d8ce13d246fef06f971852ed
SHA512

23793149d3aa3fcca12ce03c1da6fb3e8c93c6550ef4c213b1c7fc7e329e393cf82e9a7bd2181e7a20af8649413ea03f35a57c71c7a8e5016bbd7ae55a5f62dd
SSDEEP

768:hwMMhelk3xh2uHL5oEYEeP2zxQ0b3ZFSuM4koR/U:htK3v3L5obEkw3Xe4zU

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	7858ffe38e7c9fdddb27580454fe27b2.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1932-0-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1932-8-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1184	1932	7858ffe38e7c9fdddb27580454fe27b2.exe	92
PID 1932 wrote to memory of 1184	1932	7858ffe38e7c9fdddb27580454fe27b2.exe	92
PID 1932 wrote to memory of 1184	1932	7858ffe38e7c9fdddb27580454fe27b2.exe	92

C:\Users\Admin\AppData\Local\Temp\7858ffe38e7c9fdddb27580454fe27b2.exe
"C:\Users\Admin\AppData\Local\Temp\7858ffe38e7c9fdddb27580454fe27b2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\a..bat" > nul 2> nul
  2⤵
  PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a..bat

Filesize
210B

MD5
aa66414fa9542558731b1a20004376e1

SHA1
045ea88bce7faf30d357756bfa9f016ed97b4046

SHA256
4ae637fbf3b2df273b9fdce5ad0d96b5c21b0102db348e1a3b4ece36f5745742

SHA512
4a9b88b4a5040fa38f66066b766cd0bb5475b51dd5c3209d11258bb4babdb8900919a272e126244fc572ef1b3aaf0d127f0854c3306974fff647b2943ac948f7

Download Submit
memory/1932-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1932-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download