393349478b4a904e4e4394891f7b3dc25c404a28c7d1381822e39b9ee683aa45

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea80838f3016998e4fc2532c736d5ca8.exe
Size

34KB
MD5

ea80838f3016998e4fc2532c736d5ca8
SHA1

2f49a1059f746b74001a272fd67c2fa1e7db9edc
SHA256

393349478b4a904e4e4394891f7b3dc25c404a28c7d1381822e39b9ee683aa45
SHA512

8a014d128a07f1bd9b3e13daa5a4ea1e167fe4db856c89f7284249290be9f2915c47c065ecf9ffed4b085b11087785cf0ed546ea57a2f7c3f0125af811ef91ea
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUgIunIVpeNs23mAA6ls:bA74zYcgT/Ekd0ryfjPIunqpeNswmb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	ea80838f3016998e4fc2532c736d5ca8.exe

Executes dropped EXE 1 IoCs

pid	Process
3900	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 3900	2872	ea80838f3016998e4fc2532c736d5ca8.exe	85
PID 2872 wrote to memory of 3900	2872	ea80838f3016998e4fc2532c736d5ca8.exe	85
PID 2872 wrote to memory of 3900	2872	ea80838f3016998e4fc2532c736d5ca8.exe	85

C:\Users\Admin\AppData\Local\Temp\ea80838f3016998e4fc2532c736d5ca8.exe
"C:\Users\Admin\AppData\Local\Temp\ea80838f3016998e4fc2532c736d5ca8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
34KB

MD5
8197827be9bfeadc7e5d9a939b8cb275

SHA1
2f7eeeb3421d70b07dc1e1d47a0ca595f8906ac9

SHA256
ed62f14ac3b074edd5a12bc3d6759985160eb5034e3a2d3e411d2a11ebb95ccf

SHA512
167422c85c21f26549cb2a0269f7ea1596a59b0e052568e1a469cb2e085f3408d8f5f0fa223986ea98318f3fee1a006d29bce52ff6a2a4915471c0885f3f9bf6

Download Submit
memory/2872-0-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/2872-1-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/2872-2-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download
memory/3900-17-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download
memory/3900-18-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download