786bd11f4d7202fb3ccd67537bbacaad97b98f623ec177299b6a396a50fb5605

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8644e37f20d7416e0326e57918a36a38.exe
Size

21KB
MD5

8644e37f20d7416e0326e57918a36a38
SHA1

b61af19532388ec6ff436058b5290ccb1865ff94
SHA256

786bd11f4d7202fb3ccd67537bbacaad97b98f623ec177299b6a396a50fb5605
SHA512

cba01d15b6b799570055c451283f2cbc0423bedc006b814733866957b715a0cf27b7d89d4f8b7fe90481bafbf8a1793d950657e873829914d2e54824457e6c31
SSDEEP

384:H93uMdrzKckkzVQK/KPTcrtQ+VDy9WKtjOlnEuTTtWOeo:dfrzKcLz3K7cq+VDyDtylnEe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	8644e37f20d7416e0326e57918a36a38.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\multimediaControls.chl\CLSID\ = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"	8644e37f20d7416e0326e57918a36a38.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\multimediaControls.chl\CLSID	8644e37f20d7416e0326e57918a36a38.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\multimediaControls.chl	8644e37f20d7416e0326e57918a36a38.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1688	8644e37f20d7416e0326e57918a36a38.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 4292	1688	8644e37f20d7416e0326e57918a36a38.exe	96
PID 1688 wrote to memory of 4292	1688	8644e37f20d7416e0326e57918a36a38.exe	96
PID 1688 wrote to memory of 4292	1688	8644e37f20d7416e0326e57918a36a38.exe	96

C:\Users\Admin\AppData\Local\Temp\8644e37f20d7416e0326e57918a36a38.exe
"C:\Users\Admin\AppData\Local\Temp\8644e37f20d7416e0326e57918a36a38.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awer0.bat" "
  2⤵
  PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\awer0.bat

Filesize
274B

MD5
5fb81c880a7283dc5dc04fb128ad66cd

SHA1
d4562450332d7a86a0bcbb0e5a461f25954d06ac

SHA256
303bb5471af422b35adc9ec174adc45702f7cb51bb5250cac6c04ff151248168

SHA512
13716d27f27731f998a64b1c51e4b6f9ed964f278fc2f968c1362357fee1ce4c42112795665dd5a741b2cf661c2a56236f079302fa9bd20d797763312e5bfcb7

Download Submit