842e2f289935c92dae5c4435973257202bfc720be0f393dab61db7120d98900c

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d83368e27aeb1713f73571137175372.exe
Size

3.4MB
MD5

8d83368e27aeb1713f73571137175372
SHA1

5982ca558e2908efe2d4e0f90258a8f51b832c9e
SHA256

842e2f289935c92dae5c4435973257202bfc720be0f393dab61db7120d98900c
SHA512

bc7c9eb991fdae2112cf96139b1979dc28b9d72913ba115def074fdaf3e4831115523bb7b7c954d235bd378897739151bc8ff377f6c3bf932dc60431362611c8
SSDEEP

49152:cN2ICGPZ/TO7pZLDvNNEXajLYSn/OXQdoHnH0irzC9oaSCbVq5Ij4k9P0hdHb9eR:cN2PSULDvNESyQmHHDTDQsIcOXHl/

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
23	4056	cmd.exe
24	4056	cmd.exe
28	4056	cmd.exe
29	4056	cmd.exe
52	4056	cmd.exe
53	4056	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	8d83368e27aeb1713f73571137175372.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	ttYWbxOf1wfGj.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttYWbxOf1wfGj.exe	8d83368e27aeb1713f73571137175372.exe

Executes dropped EXE 2 IoCs

pid	Process
2236	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
2000	ttYWbxOf1wfGj.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe
4056	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 4852	2856	8d83368e27aeb1713f73571137175372.exe	85
PID 2856 wrote to memory of 4852	2856	8d83368e27aeb1713f73571137175372.exe	85
PID 2856 wrote to memory of 4852	2856	8d83368e27aeb1713f73571137175372.exe	85
PID 4852 wrote to memory of 2236	4852	8d83368e27aeb1713f73571137175372.exe	91
PID 4852 wrote to memory of 2236	4852	8d83368e27aeb1713f73571137175372.exe	91
PID 4852 wrote to memory of 2236	4852	8d83368e27aeb1713f73571137175372.exe	91
PID 2236 wrote to memory of 2000	2236	ttYWbxOf1wfGj.exe	92
PID 2236 wrote to memory of 2000	2236	ttYWbxOf1wfGj.exe	92
PID 2236 wrote to memory of 2000	2236	ttYWbxOf1wfGj.exe	92
PID 2000 wrote to memory of 4056	2000	ttYWbxOf1wfGj.exe	96
PID 2000 wrote to memory of 4056	2000	ttYWbxOf1wfGj.exe	96
PID 2000 wrote to memory of 4056	2000	ttYWbxOf1wfGj.exe	96
PID 2000 wrote to memory of 4056	2000	ttYWbxOf1wfGj.exe	96
PID 2000 wrote to memory of 4056	2000	ttYWbxOf1wfGj.exe	96

C:\Users\Admin\AppData\Local\Temp\8d83368e27aeb1713f73571137175372.exe
"C:\Users\Admin\AppData\Local\Temp\8d83368e27aeb1713f73571137175372.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\8d83368e27aeb1713f73571137175372.exe
  "C:\Users\Admin\AppData\Local\Temp\8d83368e27aeb1713f73571137175372.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttYWbxOf1wfGj.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttYWbxOf1wfGj.exe" "C:\Users\Admin\AppData\Local\Temp\8d83368e27aeb1713f73571137175372.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttYWbxOf1wfGj.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttYWbxOf1wfGj.exe" "C:\Users\Admin\AppData\Local\Temp\8d83368e27aeb1713f73571137175372.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttYWbxOf1wfGj.exe

Filesize
53KB

MD5
a806e63e7d882b1cae238e6bf5e9cff6

SHA1
84ad9e2a4ca4938bb6b92c0cda6d07f7ec4e80ff

SHA256
782e0fa0f68d0d4526132f00a200fe0bc210c127a2ca465e9e336ade549f1381

SHA512
c745b440ecc6eede59f78b6751e8ce4814613586fdffc3a77aefe195af47d6272e836c29e6ae26fd4a982bb68b6b7292b7b6514a8b5225e32bb3b4f2c21262e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttYWbxOf1wfGj.exe

Filesize
121KB

MD5
db3c063b559133d818aecd81142d8382

SHA1
395a836c3c9ddf457a0a17a9ef2ef010c094f480

SHA256
b1039b206bf0dbd63aa1c850f70c0b64b457929dc42b0a7b5fd09fbe42ab1d92

SHA512
5f4ea84ca1dd764ed181e3c7510800cd52194dc4d9da2a78404499a1ae3eb45574a6c4c133d9ffab65a7727f5b0d32929aebdda75e17acfe54148c316164ad24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttYWbxOf1wfGj.exe

Filesize
77KB

MD5
6aea48beacfd66a10aebf563fa5328c1

SHA1
e80defbdc85054d4561b8f0b631d3897ab269bb4

SHA256
d9d6c5a4db88918c28e941ae8bb282e8865cd8eadce6ae4588f2add136a2a6ff

SHA512
c4ef68253be6134886e05886203611d7201554bba2d0204d450829b603827755b355423a977000f4c246877d3b9aa7c517270b593b5c0b45192cb1cc7735f766

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttYWbxOf1wfGj.exe

Filesize
1.1MB

MD5
1313d0587487213548ea7522bf516d38

SHA1
c753b81955cb85bd738565f003a0fbef838bd714

SHA256
555a7f0b1698b0b30f19adda7b5ee302e01b0cadb60f67109d3bae523141a4c5

SHA512
1db794b4274b776eba944fe8990fc9ac758e3bc445aecb80073d9c63f4d6d0f43b3d0707a28cffe0b19af7ac07a324c806e0ad3efc20382b422b5fe292bf3e73

Download Submit
memory/2000-21-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2000-14-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2000-22-0x0000000000A60000-0x0000000000AFE000-memory.dmp

Filesize
632KB

Download
memory/2000-18-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/2000-17-0x0000000077132000-0x0000000077133000-memory.dmp

Filesize
4KB

Download
memory/2000-16-0x0000000000A60000-0x0000000000AFE000-memory.dmp

Filesize
632KB

Download
memory/2000-19-0x0000000077132000-0x0000000077133000-memory.dmp

Filesize
4KB

Download
memory/2236-25-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2236-11-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2856-15-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2856-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4056-39-0x00000000091B0000-0x0000000009257000-memory.dmp

Filesize
668KB

Download
memory/4056-45-0x00000000099A0000-0x0000000009BAB000-memory.dmp

Filesize
2.0MB

Download
memory/4056-24-0x0000000002490000-0x000000000252E000-memory.dmp

Filesize
632KB

Download
memory/4056-33-0x00000000061C0000-0x00000000061E1000-memory.dmp

Filesize
132KB

Download
memory/4056-20-0x0000000000F40000-0x0000000000FD9000-memory.dmp

Filesize
612KB

Download
memory/4056-46-0x00000000091B0000-0x0000000009257000-memory.dmp

Filesize
668KB

Download
memory/4056-27-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/4056-30-0x0000000002490000-0x000000000252E000-memory.dmp

Filesize
632KB

Download
memory/4056-31-0x0000000002490000-0x000000000252E000-memory.dmp

Filesize
632KB

Download
memory/4056-29-0x0000000077132000-0x0000000077133000-memory.dmp

Filesize
4KB

Download
memory/4056-28-0x0000000077132000-0x0000000077133000-memory.dmp

Filesize
4KB

Download
memory/4056-26-0x0000000077132000-0x0000000077133000-memory.dmp

Filesize
4KB

Download
memory/4056-47-0x0000000009280000-0x0000000009614000-memory.dmp

Filesize
3.6MB

Download
memory/4056-23-0x0000000000F40000-0x0000000000FD9000-memory.dmp

Filesize
612KB

Download
memory/4056-35-0x0000000009620000-0x000000000970A000-memory.dmp

Filesize
936KB

Download
memory/4056-38-0x0000000002490000-0x000000000252E000-memory.dmp

Filesize
632KB

Download
memory/4056-37-0x00000000099A0000-0x0000000009BAB000-memory.dmp

Filesize
2.0MB

Download
memory/4056-36-0x00000000090F0000-0x00000000091AD000-memory.dmp

Filesize
756KB

Download
memory/4056-40-0x0000000009280000-0x0000000009614000-memory.dmp

Filesize
3.6MB

Download
memory/4056-34-0x0000000006240000-0x00000000062BE000-memory.dmp

Filesize
504KB

Download
memory/4056-32-0x00000000061F0000-0x0000000006239000-memory.dmp

Filesize
292KB

Download
memory/4056-41-0x0000000000F40000-0x0000000000FD9000-memory.dmp

Filesize
612KB

Download
memory/4056-42-0x0000000002490000-0x000000000252E000-memory.dmp

Filesize
632KB

Download
memory/4056-43-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/4056-44-0x00000000090F0000-0x00000000091AD000-memory.dmp

Filesize
756KB

Download
memory/4852-10-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4852-1-0x0000000002A40000-0x0000000002ADE000-memory.dmp

Filesize
632KB

Download
memory/4852-13-0x0000000002A40000-0x0000000002ADE000-memory.dmp

Filesize
632KB

Download