78cba9c191b2dc98650ef52bd4827ea96f834d5d345ee9ae71127146328207be

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fPoeSmoother.exe
Size

1.8MB
MD5

e7bc4056ca01c223875c40eab01cb9d1
SHA1

72b08a05e49a61d43165d72cd7ab072b5b7a99fd
SHA256

0c932b2c67c0b3a5816fab7b66f622367caa33eddf110a4d6317a906aa5a8bd3
SHA512

9878802b7edc04b7cbb12b3ce0cea12f75a57edca3b5b35ac8528a421e376028517c691be6cd903d44c2342e258a42a501270880af9d09e9252ae51c9d0ff3ad
SSDEEP

49152:ahQONPdzpDMjY91n+Zs4ZLJzODe4keLPq/VCi1QOoTdRus:xUN+ei0f2fVkdks

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	fPoeSmoother.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3460	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	fPoeSmoother.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4552	4748	fPoeSmoother.exe	84
PID 4748 wrote to memory of 4552	4748	fPoeSmoother.exe	84
PID 4552 wrote to memory of 3460	4552	cmd.exe	86
PID 4552 wrote to memory of 3460	4552	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\fPoeSmoother.exe
"C:\Users\Admin\AppData\Local\Temp\fPoeSmoother.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\system32\timeout.exe
    timeout / t 1 / nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fPoeSmoother.tmp

Filesize
1KB

MD5
3cf05ff4f7050e65803702c3a8af1b9b

SHA1
95918461b30df6bd7623f2f065875f43bac98d63

SHA256
4688a16ed380c0dfb754e22b49cee13456abaf64830efeb91adc65c511b84eaf

SHA512
a72a39ec502449bd34684db81619e87082ed8d4a9828ecdadb45537f44508d3f4cba9103a296f8640e1cb066f71ef759cb71ed4606da1e08f57fb6a123b7cb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.bat

Filesize
176B

MD5
3389c3478c85126617b1ab0d8a28f7f8

SHA1
26db3aa595fb298e1aa71b48338e582a09dcdfcf

SHA256
1b386f12619223b110de6e7f97708cb0210054dfd546f7903f18f8e7b4673628

SHA512
13e1d503894ba989c8123ee120f46d7f63749bbb794a2adf3309293b01863423e17b4596757fef3f543d57357e28f2f3f16abca4ffcd29129227ad96a8cc62a1

Download Submit
memory/4748-2-0x00007FFAF99C0000-0x00007FFAFA481000-memory.dmp

Filesize
10.8MB

Download
memory/4748-0-0x000001DDCABD0000-0x000001DDCADA2000-memory.dmp

Filesize
1.8MB

Download
memory/4748-4-0x000001DDE5380000-0x000001DDE563A000-memory.dmp

Filesize
2.7MB

Download
memory/4748-5-0x000001DDE7210000-0x000001DDE76D0000-memory.dmp

Filesize
4.8MB

Download
memory/4748-6-0x000001DDCB160000-0x000001DDCB164000-memory.dmp

Filesize
16KB

Download
memory/4748-7-0x000001DDE6F00000-0x000001DDE6FBA000-memory.dmp

Filesize
744KB

Download
memory/4748-8-0x000001DDE5370000-0x000001DDE5380000-memory.dmp

Filesize
64KB

Download
memory/4748-3-0x000001DDE5370000-0x000001DDE5380000-memory.dmp

Filesize
64KB

Download
memory/4748-14-0x000001DDE7B40000-0x000001DDE7C88000-memory.dmp

Filesize
1.3MB

Download
memory/4748-15-0x000001DDE7A20000-0x000001DDE7A44000-memory.dmp

Filesize
144KB

Download
memory/4748-16-0x000001DDE7A50000-0x000001DDE7A6A000-memory.dmp

Filesize
104KB

Download
memory/4748-18-0x00007FFAF99C0000-0x00007FFAFA481000-memory.dmp

Filesize
10.8MB

Download
memory/4748-1-0x000001DDCB150000-0x000001DDCB154000-memory.dmp

Filesize
16KB

Download