ed1a5c685b9a0677ef55d8751a58dcec4c30267b0374923eb012a0af168b792f

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b68e849afbe42d2cde7fab8e11d747c.exe
Size

3.4MB
MD5

7b68e849afbe42d2cde7fab8e11d747c
SHA1

e1089185134c93cb3aa688c12338e483de2a3955
SHA256

ed1a5c685b9a0677ef55d8751a58dcec4c30267b0374923eb012a0af168b792f
SHA512

6440f487e88874e0796e9f72942914992dd74097b980e46f1f72e8d86b34820134912d08effe21de6b278f89b250ac5010c2dd3daa7d0c92c43face27d9ef364
SSDEEP

98304:VTsHu0FPlZiv+KkHDh3enUa33bFLaONxUrd5b:uO0FPlEGKkl3enJ335aONxyT

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
24	3640	cmd.exe
25	3640	cmd.exe
26	3640	cmd.exe
41	3640	cmd.exe
42	3640	cmd.exe
45	3640	cmd.exe
46	3640	cmd.exe
49	3640	cmd.exe
52	3640	cmd.exe
53	3640	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	q8jQXsZ2TOpY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	7b68e849afbe42d2cde7fab8e11d747c.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q8jQXsZ2TOpY.exe	7b68e849afbe42d2cde7fab8e11d747c.exe

Executes dropped EXE 2 IoCs

pid	Process
1584	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3196	q8jQXsZ2TOpY.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe
3640	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1964	2976	7b68e849afbe42d2cde7fab8e11d747c.exe	87
PID 2976 wrote to memory of 1964	2976	7b68e849afbe42d2cde7fab8e11d747c.exe	87
PID 2976 wrote to memory of 1964	2976	7b68e849afbe42d2cde7fab8e11d747c.exe	87
PID 1964 wrote to memory of 1584	1964	7b68e849afbe42d2cde7fab8e11d747c.exe	94
PID 1964 wrote to memory of 1584	1964	7b68e849afbe42d2cde7fab8e11d747c.exe	94
PID 1964 wrote to memory of 1584	1964	7b68e849afbe42d2cde7fab8e11d747c.exe	94
PID 1584 wrote to memory of 3196	1584	q8jQXsZ2TOpY.exe	95
PID 1584 wrote to memory of 3196	1584	q8jQXsZ2TOpY.exe	95
PID 1584 wrote to memory of 3196	1584	q8jQXsZ2TOpY.exe	95
PID 3196 wrote to memory of 3640	3196	q8jQXsZ2TOpY.exe	98
PID 3196 wrote to memory of 3640	3196	q8jQXsZ2TOpY.exe	98
PID 3196 wrote to memory of 3640	3196	q8jQXsZ2TOpY.exe	98
PID 3196 wrote to memory of 3640	3196	q8jQXsZ2TOpY.exe	98
PID 3196 wrote to memory of 3640	3196	q8jQXsZ2TOpY.exe	98

C:\Users\Admin\AppData\Local\Temp\7b68e849afbe42d2cde7fab8e11d747c.exe
"C:\Users\Admin\AppData\Local\Temp\7b68e849afbe42d2cde7fab8e11d747c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\7b68e849afbe42d2cde7fab8e11d747c.exe
  "C:\Users\Admin\AppData\Local\Temp\7b68e849afbe42d2cde7fab8e11d747c.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q8jQXsZ2TOpY.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q8jQXsZ2TOpY.exe" "C:\Users\Admin\AppData\Local\Temp\7b68e849afbe42d2cde7fab8e11d747c.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q8jQXsZ2TOpY.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q8jQXsZ2TOpY.exe" "C:\Users\Admin\AppData\Local\Temp\7b68e849afbe42d2cde7fab8e11d747c.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3196
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q8jQXsZ2TOpY.exe

Filesize
1.8MB

MD5
c1b2a42f7a68a1114fcbb2431d3aa599

SHA1
b53b3b68528857e29f1c0d258a0b7b71d0ad707b

SHA256
d94ef0614eb9a2da565b235a0646541349ec290352e74d94ef3d665689b5e404

SHA512
3695e51b1c8847f4c78bc16d0bf74f3588c514b0f67b0bb0ac972b52e0a68fa1cb8b1cc828324008847014c0d3b8e1d74f3d57746806177f97151d8e424186f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q8jQXsZ2TOpY.exe

Filesize
1.5MB

MD5
76304d68789a13afafaa1053f634c214

SHA1
5802467365dba871f565fd894c12ebcf002fa7e6

SHA256
881213ace49ea7cfc5513cc04d3d5b1143fd66407ebc2847f58f7f0be65c14fb

SHA512
89a8963e6cd7767dd875a978da2973078bff671ac388e104a019b87819b5450eead4fcc7c52bfcd8e7241aac2a9a0594b2c847a603c0373686ea8957a9b1fbe9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q8jQXsZ2TOpY.exe

Filesize
2.4MB

MD5
ec42ab9095a97203c19f5a0e21a7e41c

SHA1
b51322fffbf1582d55000c6ac312a7e078d20000

SHA256
1a9f9f4a5ee74952c1f9407af73def6bafa877f27ed08a1d892db5337a6cfcbb

SHA512
9d8269571649650a99824257dc32968a4b99d4b409c6347aaf9537b733fcdecfc6b51f3cdd40e7556f66caa7395306ae918752e457969c9341694480cffd1e4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q8jQXsZ2TOpY.exe

Filesize
1.3MB

MD5
3fd398ef28deffc7aae538c41879e447

SHA1
36dd19c1aa38c050b0922d4f70d4ba4e6126f25e

SHA256
c0a5966b5db4b541243328d897191f373e3a0af2fa391117f6a1d4b7388a2259

SHA512
ce9c52120898470f1271145053cdce2f1dec37012a42bbbc4590a6d5423adcfb2aac91ce0006725e810f16aa454561e4964e29698e07be6af9ff34f213ef17c9

Download Submit
memory/1584-12-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1964-13-0x0000000002AB0000-0x0000000002B4E000-memory.dmp

Filesize
632KB

Download
memory/1964-11-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1964-2-0x0000000002AB0000-0x0000000002B4E000-memory.dmp

Filesize
632KB

Download
memory/1964-1-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2976-16-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2976-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3196-22-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3196-15-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3196-17-0x00000000029D0000-0x0000000002A6E000-memory.dmp

Filesize
632KB

Download
memory/3196-18-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/3196-19-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3196-20-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/3196-23-0x00000000029D0000-0x0000000002A6E000-memory.dmp

Filesize
632KB

Download
memory/3640-24-0x0000000001370000-0x0000000001409000-memory.dmp

Filesize
612KB

Download
memory/3640-35-0x00000000016A0000-0x000000000173E000-memory.dmp

Filesize
632KB

Download
memory/3640-21-0x0000000001370000-0x0000000001409000-memory.dmp

Filesize
612KB

Download
memory/3640-27-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/3640-28-0x0000000001860000-0x0000000001861000-memory.dmp

Filesize
4KB

Download
memory/3640-29-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/3640-30-0x00000000016A0000-0x000000000173E000-memory.dmp

Filesize
632KB

Download
memory/3640-31-0x00000000016A0000-0x000000000173E000-memory.dmp

Filesize
632KB

Download
memory/3640-32-0x0000000005F10000-0x0000000005F59000-memory.dmp

Filesize
292KB

Download
memory/3640-33-0x0000000005EE0000-0x0000000005F01000-memory.dmp

Filesize
132KB

Download
memory/3640-34-0x0000000008530000-0x00000000085AE000-memory.dmp

Filesize
504KB

Download
memory/3640-25-0x00000000016A0000-0x000000000173E000-memory.dmp

Filesize
632KB

Download
memory/3640-36-0x0000000008A70000-0x0000000008B5A000-memory.dmp

Filesize
936KB

Download
memory/3640-37-0x0000000005F60000-0x000000000601D000-memory.dmp

Filesize
756KB

Download
memory/3640-38-0x0000000008DF0000-0x0000000008FFB000-memory.dmp

Filesize
2.0MB

Download
memory/3640-39-0x0000000008B60000-0x0000000008C07000-memory.dmp

Filesize
668KB

Download
memory/3640-40-0x00000000086D0000-0x0000000008A64000-memory.dmp

Filesize
3.6MB

Download
memory/3640-41-0x0000000001370000-0x0000000001409000-memory.dmp

Filesize
612KB

Download
memory/3640-42-0x00000000016A0000-0x000000000173E000-memory.dmp

Filesize
632KB

Download
memory/3640-43-0x0000000001860000-0x0000000001861000-memory.dmp

Filesize
4KB

Download
memory/3640-44-0x0000000005F60000-0x000000000601D000-memory.dmp

Filesize
756KB

Download
memory/3640-45-0x0000000008DF0000-0x0000000008FFB000-memory.dmp

Filesize
2.0MB

Download
memory/3640-46-0x0000000008B60000-0x0000000008C07000-memory.dmp

Filesize
668KB

Download
memory/3640-47-0x00000000086D0000-0x0000000008A64000-memory.dmp

Filesize
3.6MB

Download