ec7a5ee5ff89f1e4023e8402d86f7254e491eba754b848cd5fe8bbf100b4d27c

Analysis

max time kernel
139s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c973d0e43eed03219ed3a8ba5540801c.exe
Size

52KB
MD5

c973d0e43eed03219ed3a8ba5540801c
SHA1

8682fc44eebbe5d513b54fe5fa595c8927b79fad
SHA256

ec7a5ee5ff89f1e4023e8402d86f7254e491eba754b848cd5fe8bbf100b4d27c
SHA512

db73131795233b76fe0f4c2f7de57b776060920f0735d3dfee072b2ae589cee3cf3a3cc3ecf9e8800934a27e056b866f659acd967cbaeb63d0c84c06c6eef500
SSDEEP

1536:ZzFbxmLPWQMOtEvwDpj386Sj/WprgJN6tZdO5n:ZVxkGOtEvwDpjcR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	c973d0e43eed03219ed3a8ba5540801c.exe

Executes dropped EXE 1 IoCs

pid	Process
4544	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 4544	2944	c973d0e43eed03219ed3a8ba5540801c.exe	84
PID 2944 wrote to memory of 4544	2944	c973d0e43eed03219ed3a8ba5540801c.exe	84
PID 2944 wrote to memory of 4544	2944	c973d0e43eed03219ed3a8ba5540801c.exe	84

C:\Users\Admin\AppData\Local\Temp\c973d0e43eed03219ed3a8ba5540801c.exe
"C:\Users\Admin\AppData\Local\Temp\c973d0e43eed03219ed3a8ba5540801c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
52KB

MD5
2f9c75cfbf2c2a6d632a5f3f378f7ef3

SHA1
b0690531db13c1bf186b2a94c2e1a85d22e80ebd

SHA256
700a7ad09c26062d1b47bc93701db24121f819cacfd14672b9a204ff42f5936e

SHA512
7bdb40444a5b46d6d3a259dc66a25a6d7034119d82d678619ded631bf9b45b9dcfd18c8664292e6ab013d857e6d36f95272f31bb0d336ac134d46aa8e59bd95f

Download Submit
memory/2944-0-0x00FFFFFF00FFFFFF-0x00FFFFFF00FFFFFF-memory.dmp

Download
memory/2944-1-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/2944-2-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/2944-3-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download
memory/4544-17-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/4544-19-0x00000000006E0000-0x00000000006E6000-memory.dmp

Filesize
24KB

Download
memory/4544-23-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download