498fbec78629442191b992a7dc25e17c946ff0c18a46dc450905743e60149b4e

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b042d76027198f7aa0a09b6385a8a28.exe
Size

202KB
MD5

8b042d76027198f7aa0a09b6385a8a28
SHA1

118abd315b4395c13aeba304288afbe16f8cef4a
SHA256

498fbec78629442191b992a7dc25e17c946ff0c18a46dc450905743e60149b4e
SHA512

13828f392ac26388a64311e6bc001ea232420700fe43093dcfb9a680428252c0449fbd188bbfd71c19e547f6e9c64d328425b069e99f10d59fccd00f7b40f23c
SSDEEP

6144:5ZuuObR8sVImcyYC5JpWJj+pDswSrFuSaHZ5:WV+mzFfsFuRZ5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	8b042d76027198f7aa0a09b6385a8a28.exe

Executes dropped EXE 3 IoCs

pid	Process
5336	11.exe
6136	xcacls.exe
5016	xcacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 5336	4084	8b042d76027198f7aa0a09b6385a8a28.exe	88
PID 4084 wrote to memory of 5336	4084	8b042d76027198f7aa0a09b6385a8a28.exe	88
PID 4084 wrote to memory of 5336	4084	8b042d76027198f7aa0a09b6385a8a28.exe	88
PID 5336 wrote to memory of 220	5336	11.exe	89
PID 5336 wrote to memory of 220	5336	11.exe	89
PID 5336 wrote to memory of 220	5336	11.exe	89
PID 220 wrote to memory of 6136	220	cmd.exe	91
PID 220 wrote to memory of 6136	220	cmd.exe	91
PID 220 wrote to memory of 6136	220	cmd.exe	91
PID 220 wrote to memory of 5016	220	cmd.exe	93
PID 220 wrote to memory of 5016	220	cmd.exe	93
PID 220 wrote to memory of 5016	220	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\8b042d76027198f7aa0a09b6385a8a28.exe
"C:\Users\Admin\AppData\Local\Temp\8b042d76027198f7aa0a09b6385a8a28.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\11.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\11.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5336
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt1306.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\xcacls.exe
      xcacls d:\autorun.inf /p guest:n /y
      4⤵
      Executes dropped EXE
      PID:6136
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\xcacls.exe
      xcacls e:\autorun.inf /p guest:n /y
      4⤵
      Executes dropped EXE
      PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\11.EXE

Filesize
146KB

MD5
53f51af27da371c837bd4397324d0038

SHA1
c0e82e388ee517f22ed7fa2b7ddfecde7d388c8d

SHA256
8deae5fcc35dd450570df75ec1f9cc3c2f5f4b8a5b8e39ac4521d492dfcd8173

SHA512
dd9dcfbf6db201551e18438ed8b450824a142d15d63ec64c015b316af77ddbdb35c21b9d1cb03cd70cd7654eaa85c8a141401031b4fc1422c49e4b1c5b3b6720

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xcacls.exe

Filesize
89KB

MD5
98f2272a7d1ba8e3155fbea167bcc613

SHA1
5315e172dd1f431a5c70efa28e2960344190a3e9

SHA256
29dce15201d8216ad847275ed8476699cd23ed48109f5362da321094d1327fef

SHA512
48cca17665832a8df00997eb9c689204b052ffb9d92db8c6d418223f4fc830833e01b99e1ef08a2f245b6d327d64f742754a1cb5a974ac55d05b7cfe051c17e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt1306.bat

Filesize
89B

MD5
845d151578b0a924f1193a8155084c60

SHA1
eabe0b36e4947ecf92f917bd8a299ad3c0a11689

SHA256
ba992c56e0fe8d403d4cff1ff9e9e63569ef745f9476e1d6328a908a4a084d3e

SHA512
9827f81a4b70df2934c880b271fe3222a9df6515d7e3231b181dd228636006d25bf51a8b0dbe693949e080dd78a8cc1141a5113b955912a7abce87dc53bcb3e4

Download Submit
memory/4084-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5336-21-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download