bd10e1a80d03bb4929da66d11d90c7ff9573857993eb12bd475a3c6e55add2c1

Analysis

max time kernel
139s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 00:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9a44da8c7864f8b677f5497a7f6ffad8.exe
Size

3.4MB
MD5

9a44da8c7864f8b677f5497a7f6ffad8
SHA1

cc0e06f7b68d201b845655ce9826cb7967adfb91
SHA256

bd10e1a80d03bb4929da66d11d90c7ff9573857993eb12bd475a3c6e55add2c1
SHA512

7671e6ea19d06abe8f4359e31cb4706e9ed7b285f35af59c08f73cca459236a089680149754a2f9071c4be3df726d068db08ab353cdc61a4ac48a3c87db30be2
SSDEEP

49152:yMGztB4KZTqjkovMpF7bXohvZxC1YoAGFo0KY9lSDU4wnG+VbbNKSb3otwyw9J+O:sPLI9v6FfXk+WU1KowKGMbleOJL6W

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
30	2036	cmd.exe
31	2036	cmd.exe
33	2036	cmd.exe
34	2036	cmd.exe
48	2036	cmd.exe
49	2036	cmd.exe
52	2036	cmd.exe
54	2036	cmd.exe
55	2036	cmd.exe
63	2036	cmd.exe
64	2036	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	9a44da8c7864f8b677f5497a7f6ffad8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	3tn5pQFoEDXcb.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3tn5pQFoEDXcb.exe	9a44da8c7864f8b677f5497a7f6ffad8.exe

Executes dropped EXE 2 IoCs

pid	Process
1964	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
3508	3tn5pQFoEDXcb.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe
2036	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4356	4848	9a44da8c7864f8b677f5497a7f6ffad8.exe	84
PID 4848 wrote to memory of 4356	4848	9a44da8c7864f8b677f5497a7f6ffad8.exe	84
PID 4848 wrote to memory of 4356	4848	9a44da8c7864f8b677f5497a7f6ffad8.exe	84
PID 4356 wrote to memory of 1964	4356	9a44da8c7864f8b677f5497a7f6ffad8.exe	89
PID 4356 wrote to memory of 1964	4356	9a44da8c7864f8b677f5497a7f6ffad8.exe	89
PID 4356 wrote to memory of 1964	4356	9a44da8c7864f8b677f5497a7f6ffad8.exe	89
PID 1964 wrote to memory of 3508	1964	3tn5pQFoEDXcb.exe	90
PID 1964 wrote to memory of 3508	1964	3tn5pQFoEDXcb.exe	90
PID 1964 wrote to memory of 3508	1964	3tn5pQFoEDXcb.exe	90
PID 3508 wrote to memory of 2036	3508	3tn5pQFoEDXcb.exe	94
PID 3508 wrote to memory of 2036	3508	3tn5pQFoEDXcb.exe	94
PID 3508 wrote to memory of 2036	3508	3tn5pQFoEDXcb.exe	94
PID 3508 wrote to memory of 2036	3508	3tn5pQFoEDXcb.exe	94
PID 3508 wrote to memory of 2036	3508	3tn5pQFoEDXcb.exe	94

C:\Users\Admin\AppData\Local\Temp\9a44da8c7864f8b677f5497a7f6ffad8.exe
"C:\Users\Admin\AppData\Local\Temp\9a44da8c7864f8b677f5497a7f6ffad8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\9a44da8c7864f8b677f5497a7f6ffad8.exe
  "C:\Users\Admin\AppData\Local\Temp\9a44da8c7864f8b677f5497a7f6ffad8.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3tn5pQFoEDXcb.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3tn5pQFoEDXcb.exe" "C:\Users\Admin\AppData\Local\Temp\9a44da8c7864f8b677f5497a7f6ffad8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3tn5pQFoEDXcb.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3tn5pQFoEDXcb.exe" "C:\Users\Admin\AppData\Local\Temp\9a44da8c7864f8b677f5497a7f6ffad8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3tn5pQFoEDXcb.exe

Filesize
192KB

MD5
5ff48324abc2a40f7be7d5282594f06a

SHA1
f9928676176a1085ad4832b8a09a549e15559eb5

SHA256
b5778fcb7f8b4e2aceca09eb845c83e71a6131eedf838317856195ef0fcf1b7d

SHA512
1ca6b434f48d107574b83dda737be13a7d3aadc1f2a27e5be863d8782780b35a201209a411a03bcaac4378f15e5611894eef79e662857745bb4ea2b37c32ea06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3tn5pQFoEDXcb.exe

Filesize
128KB

MD5
4dc6b25ff1fed999c13c1248ab230878

SHA1
f7487cbb08f4619605e95d18ef3dd6198bdfb980

SHA256
b4ffb1c65bd692622a6234a45740af93ddfcd86d6cd3cb944df79c0ea55994f6

SHA512
636ae214a71c209f6cea16d72a4fd21cf3b5ef6d7c531e356ac5178e3a0eedd6b0a7c6ee2a60a173a4401d5355487726e532d36c492c3a9fc92f009a7c320522

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3tn5pQFoEDXcb.exe

Filesize
3.0MB

MD5
fb33fc273626caaa957000cad9df7c56

SHA1
bbb5b9c8136f24380ae0cf07de83a33132212f13

SHA256
cfcea74e3ac8f412ec15bb8c8dea49ada110c8014bb305a6f6988f07b59325c9

SHA512
d3c79a7cea46e3396c6dc0b52789aa0457a7b87adf45d48e8fe5be1d059779466961cea709f6b4bcb01ceff732f5db3ffa3355edc9d282d3ee496b2584f98857

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3tn5pQFoEDXcb.exe

Filesize
448KB

MD5
5450e90196b9a65c96bc542e9fc50344

SHA1
d121928a2c4816443ea66a62718d98b8c1e6b523

SHA256
f3d3205c0afac8d05d1465fa6cd4f704b0c72df7887cb3e8b20fd2f9ae406af0

SHA512
a0f05745fd811e36703d13fb660996aea9a00b67b25679bef3c77cb307df3b26c47e112b4fc89eacf9d9bfb4b41ab165a1cf7b54da1731b97a021ecbbaea82d8

Download Submit
memory/1964-13-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2036-40-0x0000000005470000-0x00000000054EE000-memory.dmp

Filesize
504KB

Download
memory/2036-43-0x00000000077B0000-0x00000000079BB000-memory.dmp

Filesize
2.0MB

Download
memory/2036-52-0x0000000005590000-0x0000000005924000-memory.dmp

Filesize
3.6MB

Download
memory/2036-51-0x00000000067A0000-0x0000000006847000-memory.dmp

Filesize
668KB

Download
memory/2036-50-0x00000000077B0000-0x00000000079BB000-memory.dmp

Filesize
2.0MB

Download
memory/2036-49-0x0000000005930000-0x00000000059ED000-memory.dmp

Filesize
756KB

Download
memory/2036-48-0x0000000005420000-0x0000000005469000-memory.dmp

Filesize
292KB

Download
memory/2036-47-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/2036-46-0x0000000002040000-0x00000000020DE000-memory.dmp

Filesize
632KB

Download
memory/2036-45-0x0000000005590000-0x0000000005924000-memory.dmp

Filesize
3.6MB

Download
memory/2036-44-0x00000000067A0000-0x0000000006847000-memory.dmp

Filesize
668KB

Download
memory/2036-41-0x00000000059F0000-0x0000000005ADA000-memory.dmp

Filesize
936KB

Download
memory/2036-42-0x0000000005930000-0x00000000059ED000-memory.dmp

Filesize
756KB

Download
memory/2036-39-0x0000000002040000-0x00000000020DE000-memory.dmp

Filesize
632KB

Download
memory/2036-38-0x00000000051F0000-0x0000000005211000-memory.dmp

Filesize
132KB

Download
memory/2036-25-0x0000000000B40000-0x0000000000BD9000-memory.dmp

Filesize
612KB

Download
memory/2036-37-0x0000000005420000-0x0000000005469000-memory.dmp

Filesize
292KB

Download
memory/2036-28-0x0000000002040000-0x00000000020DE000-memory.dmp

Filesize
632KB

Download
memory/2036-30-0x0000000077B02000-0x0000000077B03000-memory.dmp

Filesize
4KB

Download
memory/2036-31-0x0000000077B02000-0x0000000077B03000-memory.dmp

Filesize
4KB

Download
memory/2036-32-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/2036-33-0x0000000077B02000-0x0000000077B03000-memory.dmp

Filesize
4KB

Download
memory/2036-34-0x0000000077B02000-0x0000000077B03000-memory.dmp

Filesize
4KB

Download
memory/2036-35-0x0000000002040000-0x00000000020DE000-memory.dmp

Filesize
632KB

Download
memory/2036-36-0x0000000002040000-0x00000000020DE000-memory.dmp

Filesize
632KB

Download
memory/3508-19-0x0000000077B02000-0x0000000077B03000-memory.dmp

Filesize
4KB

Download
memory/3508-18-0x0000000077B02000-0x0000000077B03000-memory.dmp

Filesize
4KB

Download
memory/3508-23-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3508-14-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3508-22-0x0000000077B02000-0x0000000077B03000-memory.dmp

Filesize
4KB

Download
memory/3508-21-0x0000000077B02000-0x0000000077B03000-memory.dmp

Filesize
4KB

Download
memory/3508-24-0x0000000077B02000-0x0000000077B03000-memory.dmp

Filesize
4KB

Download
memory/3508-17-0x00000000029F0000-0x0000000002A8E000-memory.dmp

Filesize
632KB

Download
memory/3508-27-0x00000000029F0000-0x0000000002A8E000-memory.dmp

Filesize
632KB

Download
memory/3508-20-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/4356-2-0x0000000000A60000-0x0000000000AFE000-memory.dmp

Filesize
632KB

Download
memory/4356-15-0x0000000000A60000-0x0000000000AFE000-memory.dmp

Filesize
632KB

Download
memory/4356-1-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4356-12-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4848-16-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4848-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download