fd0e318b493c9405765763d7e4750e471eda25803cb69083ecb7df90b51a5d92

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 08:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

96b0f680a50ecca80778e5616c29f835.exe
Size

90KB
MD5

96b0f680a50ecca80778e5616c29f835
SHA1

3b7e6f9584bd371f6a8be3bac7db3d01d014ccb4
SHA256

fd0e318b493c9405765763d7e4750e471eda25803cb69083ecb7df90b51a5d92
SHA512

d2eecd3d47fa3a4926125800804adf07372f099cecf32b7338193445854e3067d5d2d9c081790b08c9de99af2e37df5793cde738336b744c60cd067edd57f928
SSDEEP

1536:21dtGmlhGdz2IacJa3u9dfOv919D2AzKUvhWRx0q0cnfRCGRlfXVAG80x5gcR4+t:21dtGmlhGh2I43ubOvXt2I4Kq0cnjRlv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	96b0f680a50ecca80778e5616c29f835.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5380 wrote to memory of 2972	5380	96b0f680a50ecca80778e5616c29f835.exe	84
PID 5380 wrote to memory of 2972	5380	96b0f680a50ecca80778e5616c29f835.exe	84
PID 5380 wrote to memory of 2972	5380	96b0f680a50ecca80778e5616c29f835.exe	84

C:\Users\Admin\AppData\Local\Temp\96b0f680a50ecca80778e5616c29f835.exe
"C:\Users\Admin\AppData\Local\Temp\96b0f680a50ecca80778e5616c29f835.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5380
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Onv..bat" > nul 2> nul
  2⤵
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Onv..bat

Filesize
210B

MD5
11ddc528670d5c75d86f9c2d77e42cba

SHA1
f3e62a4bd491fefff28d154b8f4665cecd1ce480

SHA256
6e181b825601172cfc16539b89d4aa3939aa530fe17c53cb0543347c2c1a92de

SHA512
bde9828b42fb0e6c4a82dfc6b740d43f99519634a439ce8000fa2a647de6ca1f5a455b9092133c900a9e11e3464c06e2342c715299f418f8ba25cdb274d1e37c

Download Submit
memory/5380-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5380-2-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5380-1-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/5380-3-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5380-5-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download