7698bb21ad3a565a757b8cfac71a651eb8487814b8a73a4da958458e4f6e6638

Analysis

max time kernel
90s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e901ee8c2ad9caee035ed56cacb16bf.exe
Size

94KB
MD5

8e901ee8c2ad9caee035ed56cacb16bf
SHA1

301e0286a08663110c7357554a7a559cd51a7e84
SHA256

7698bb21ad3a565a757b8cfac71a651eb8487814b8a73a4da958458e4f6e6638
SHA512

a7e5522afb729ad5bcd32dbedc05178ae6e17db34265bf10099019145469efebaa7b3ebed99422c341aa8b43848b6d03adc28df5a6d2bcf58ce07eabe060810a
SSDEEP

1536:bfg+M2Y9oH+cpTKeyaI0Z/od8bDbRvU5yYeVYXrgITAGXBB3exYEjpepikFIy:bfgyY9oH+cTKGI0Z/oooeVYXrgI0GXW4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	8e901ee8c2ad9caee035ed56cacb16bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 372	4796	8e901ee8c2ad9caee035ed56cacb16bf.exe	76
PID 4796 wrote to memory of 372	4796	8e901ee8c2ad9caee035ed56cacb16bf.exe	76
PID 4796 wrote to memory of 372	4796	8e901ee8c2ad9caee035ed56cacb16bf.exe	76

C:\Users\Admin\AppData\Local\Temp\8e901ee8c2ad9caee035ed56cacb16bf.exe
"C:\Users\Admin\AppData\Local\Temp\8e901ee8c2ad9caee035ed56cacb16bf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Blz..bat" > nul 2> nul
  2⤵
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Blz..bat

Filesize
210B

MD5
86895d5f96994c130d08cc154e8cdcab

SHA1
6ab206694d56c6670a1e054010c10c410eab975b

SHA256
d8e173dfc829893db006eafcc4a2f89296a2ec89ba34524e727fb21ede0aefcd

SHA512
78128d93eb70be013cf8e99e5332ab25b352898f43ee70f1a2df2c86b76a3315364474994a03e98e0744106965d92b300c369020edeed0973e146e4ac4d23172

Download Submit
memory/4796-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4796-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4796-1-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4796-3-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4796-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download