8471b910ca27f0ca1408d5fbea466040c85de6963e99b97b496a937f241cdf23

Analysis

max time kernel
138s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e19b2b97cc2e5de685917189f391499.exe
Size

762KB
MD5

7e19b2b97cc2e5de685917189f391499
SHA1

11f7d260108b230ac1a73515b97951a3bb5eb22e
SHA256

8471b910ca27f0ca1408d5fbea466040c85de6963e99b97b496a937f241cdf23
SHA512

008b982f336a8151ee0be01d1ce3bbb9ffa79a434d76d16750a897f3b8184e4ff204b8ef5da5794eb11b464a7cfbd98879ce7df36f7fce527b0b3538826f4ebd
SSDEEP

12288:ntobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnu:ntDltItNW7pjDlpt5XY/2TkXKza/29y

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	internal7e19b2b97cc2e5de685917189f391499.exe

Executes dropped EXE 1 IoCs

pid	Process
416	internal7e19b2b97cc2e5de685917189f391499.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3620	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
416	internal7e19b2b97cc2e5de685917189f391499.exe
416	internal7e19b2b97cc2e5de685917189f391499.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
416	internal7e19b2b97cc2e5de685917189f391499.exe
416	internal7e19b2b97cc2e5de685917189f391499.exe
416	internal7e19b2b97cc2e5de685917189f391499.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 416	4528	7e19b2b97cc2e5de685917189f391499.exe	84
PID 4528 wrote to memory of 416	4528	7e19b2b97cc2e5de685917189f391499.exe	84
PID 4528 wrote to memory of 416	4528	7e19b2b97cc2e5de685917189f391499.exe	84
PID 416 wrote to memory of 4904	416	internal7e19b2b97cc2e5de685917189f391499.exe	90
PID 416 wrote to memory of 4904	416	internal7e19b2b97cc2e5de685917189f391499.exe	90
PID 416 wrote to memory of 4904	416	internal7e19b2b97cc2e5de685917189f391499.exe	90
PID 4904 wrote to memory of 3620	4904	cmd.exe	92
PID 4904 wrote to memory of 3620	4904	cmd.exe	92
PID 4904 wrote to memory of 3620	4904	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\7e19b2b97cc2e5de685917189f391499.exe
"C:\Users\Admin\AppData\Local\Temp\7e19b2b97cc2e5de685917189f391499.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\nsdDB9.tmp\internal7e19b2b97cc2e5de685917189f391499.exe
  C:\Users\Admin\AppData\Local\Temp\nsdDB9.tmp\internal7e19b2b97cc2e5de685917189f391499.exe C:/Users/Admin/AppData/Local/Temp/nsdDB9.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/7e19b2b97cc2e5de685917189f391499.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsdDB9.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2317.bat" "C:\Users\Admin\AppData\Local\Temp\6D3524A51D4943A6A99BCF63889654DB\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3073191680-435865314-2862784915-1000\$IA3G4EW

Filesize
98B

MD5
3d5ec98ced270a99b1256575e041375d

SHA1
94475891c017bcef072d84d6063ac5cfff5c83e9

SHA256
608c12583141a6eef21071041d4a68c9df0ea9c0c54560d7433c3be0ba490ecb

SHA512
aeab65bfc2a0febcebc979cdce2476c151924e4d4a67ea4f46d46db87283a2d4e513cfcb16e537b5e36263fa14545edec71cd91a5c8d660d36662110060d2bb3

Download Submit
C:\$Recycle.Bin\S-1-5-21-3073191680-435865314-2862784915-1000\$IDR3DLL

Filesize
96B

MD5
77e659fd29de3c8df7edfaad1c65cc15

SHA1
4626906ec924e9041968156f15535212540842a5

SHA256
3c0551fc6e6ba02c16c04e10cb612862f20dfc1af12c48a96214ad672ee993c2

SHA512
06dcba39f6b064e20ac43eeab9b35f0744fe9569422fbcf070f9751cb385b793e2353f6f155872aee1afac5f6b3fde9bef2472476003b431a617e3dac9624dda

Download Submit
C:\$Recycle.Bin\S-1-5-21-3073191680-435865314-2862784915-1000\$IHFTEM5

Filesize
98B

MD5
1de079512e4617041fe153701db98b0b

SHA1
84588ad6b6cc1195dc498325d88031cfe63d3243

SHA256
1268ca8b6175a5f85f4a0876be743c53f162694b7cc795c4f900a22201758986

SHA512
8c645ddb1ccc106d72f4590ac29bf37f409cc5dd234714772e915ea24e9080704b23458f06208a247f4609446853c9038b27aee269e326c69cb463a6ab7d2f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\2317.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D3524A51D4943A6A99BCF63889654DB\6D3524A51D4943A6A99BCF63889654DB_LogFile.txt

Filesize
1KB

MD5
cd20f0d0516be35d38c0f7445c587517

SHA1
334825f7ea03b8b629bf0bc71ee2e7062ab78284

SHA256
81282fab0ed4fe642312e4b1e3f8ad7bf16d42ed8abb4ce488ea9485bdfaf190

SHA512
a80a48947b34e3bd84f40b36b8f07340b964eb65bc352528de221ce30cc01fdca4cbb3a93864c8c69d2544ab257407ddf29769876501fd80ee186ddbc6b5e137

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D3524A51D4943A6A99BCF63889654DB\6D3524A51D4943A6A99BCF63889654DB_LogFile.txt

Filesize
3KB

MD5
ce4322b8885556c97f27ec2d856fa717

SHA1
6532240782be2a18dd81202eb23ea2b210af31db

SHA256
766298d38a32e669beabeeb4b939b1e712caece339bbb39809784fe69c4fc655

SHA512
8ebf4c4e991ba7dd6d7026f8f3a68c756b1fb3e49d9fe79d2659df5b77b3ee0d2966938282dae1897da06f8a797285708210a606902eebbf368ea8334e3467e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D3524A51D4943A6A99BCF63889654DB\6D3524A51D4943A6A99BCF63889654DB_LogFile.txt

Filesize
4KB

MD5
11feae1507f99efeb0d52b02352a9585

SHA1
a7f0174f2f623d9e3588fb3c933cd694834ebb58

SHA256
017646ff3ff9b8fe02cb596c696cba486e4e8358acf38dc3a6877f8e62045ac6

SHA512
7df636c981af763264bfe5a9761260c19c1080307c7a9a56c4861aead42fee42e4c755c5e61088ed28f518324c01b1aa3bafeb9f54ca1eb5e63b7a383c560c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D3524A51D4943A6A99BCF63889654DB\6D3524~1.TXT

Filesize
26KB

MD5
b60753db7b743466b4de2ef60f011ff9

SHA1
620457479e0339027b633c36ecd26bee14d29659

SHA256
0267399aba337aff107bc67ccb34ac7104b032a4097203f09e8116bb8ec22d12

SHA512
4aac8fa9a8cf57a9dae6e6ffddf5fd8fc30240fe4fb8a3ee667ae733844c61bbfe40378808660febae3096d6d4e6c2aeef688ba90a4c85084168a5d0d28ed3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdDB9.tmp\internal7e19b2b97cc2e5de685917189f391499.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdDB9.tmp\internal7e19b2b97cc2e5de685917189f391499_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdDB9.tmp\internal7e19b2b97cc2e5de685917189f391499_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
memory/416-74-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/4528-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4528-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download