7d01c814e4dc147036470e958c30ec7daa1a2140961e6865d0d6b2db40c66d46

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b49a7999428556c109be5771dce3b2e.exe
Size

455KB
MD5

7b49a7999428556c109be5771dce3b2e
SHA1

2b539957e2c9720bfc1f4018448803f0399cb421
SHA256

7d01c814e4dc147036470e958c30ec7daa1a2140961e6865d0d6b2db40c66d46
SHA512

ab3e7fc465603c98b20a6e8bab8bb9af3c702b2992d24e437ee80b9e6b68fd7775e507df24bf39963368ad55d2f1ff1250b271d93784450ca68e3f238a0b60d6
SSDEEP

12288:tPUdz/leuYergLm9AhJ4rhFkpMMnMMMMME0bJvQI6xMdI0+6DtByCVwHM1a:tsN/leuZz8W7kpMMnMMMMME029s+6RwH

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	7b49a7999428556c109be5771dce3b2e.exe

Executes dropped EXE 1 IoCs

pid	Process
4256	cRdQIGspBdjhpow.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cRdQIGspBdjhpow = "C:\\ProgramData\\cRdQIGspBdjhpow.exe"	7b49a7999428556c109be5771dce3b2e.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	cRdQIGspBdjhpow.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	cRdQIGspBdjhpow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	7b49a7999428556c109be5771dce3b2e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	7b49a7999428556c109be5771dce3b2e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Download	7b49a7999428556c109be5771dce3b2e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	7b49a7999428556c109be5771dce3b2e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3716	7b49a7999428556c109be5771dce3b2e.exe
3716	7b49a7999428556c109be5771dce3b2e.exe
3716	7b49a7999428556c109be5771dce3b2e.exe
3716	7b49a7999428556c109be5771dce3b2e.exe
3716	7b49a7999428556c109be5771dce3b2e.exe
3716	7b49a7999428556c109be5771dce3b2e.exe
3716	7b49a7999428556c109be5771dce3b2e.exe
3716	7b49a7999428556c109be5771dce3b2e.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
3716	7b49a7999428556c109be5771dce3b2e.exe
3716	7b49a7999428556c109be5771dce3b2e.exe
3716	7b49a7999428556c109be5771dce3b2e.exe
3716	7b49a7999428556c109be5771dce3b2e.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe
4256	cRdQIGspBdjhpow.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3716	7b49a7999428556c109be5771dce3b2e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 4256	3716	7b49a7999428556c109be5771dce3b2e.exe	89
PID 3716 wrote to memory of 4256	3716	7b49a7999428556c109be5771dce3b2e.exe	89
PID 3716 wrote to memory of 4256	3716	7b49a7999428556c109be5771dce3b2e.exe	89

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	7b49a7999428556c109be5771dce3b2e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	7b49a7999428556c109be5771dce3b2e.exe

C:\Users\Admin\AppData\Local\Temp\7b49a7999428556c109be5771dce3b2e.exe
"C:\Users\Admin\AppData\Local\Temp\7b49a7999428556c109be5771dce3b2e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3716
- C:\ProgramData\cRdQIGspBdjhpow.exe
  "C:\ProgramData\cRdQIGspBdjhpow.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cRdQIGspBdjhpow.exe

Filesize
455KB

MD5
7b49a7999428556c109be5771dce3b2e

SHA1
2b539957e2c9720bfc1f4018448803f0399cb421

SHA256
7d01c814e4dc147036470e958c30ec7daa1a2140961e6865d0d6b2db40c66d46

SHA512
ab3e7fc465603c98b20a6e8bab8bb9af3c702b2992d24e437ee80b9e6b68fd7775e507df24bf39963368ad55d2f1ff1250b271d93784450ca68e3f238a0b60d6

Download Submit
memory/3716-0-0x0000000002E60000-0x0000000003DF0000-memory.dmp

Filesize
15.6MB

Download
memory/3716-1-0x00000000006A0000-0x00000000008E9000-memory.dmp

Filesize
2.3MB

Download
memory/3716-15-0x00000000006A0000-0x00000000008E9000-memory.dmp

Filesize
2.3MB

Download
memory/4256-13-0x0000000002F60000-0x0000000004260000-memory.dmp

Filesize
19.0MB

Download
memory/4256-14-0x0000000000A10000-0x0000000000C59000-memory.dmp

Filesize
2.3MB

Download
memory/4256-16-0x0000000000A10000-0x0000000000C59000-memory.dmp

Filesize
2.3MB

Download