a147a3d4ca92a067ad971f993b8358aefbe1fed1279d4c9a99946a79bee2f695

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84e7cca7d11d4560cc1d6cfdd14e102f.exe
Size

46KB
MD5

84e7cca7d11d4560cc1d6cfdd14e102f
SHA1

b460e3c8957b21768a17b687d3c1242844ffc77f
SHA256

a147a3d4ca92a067ad971f993b8358aefbe1fed1279d4c9a99946a79bee2f695
SHA512

c9f7eb3cd1cccf82152376e27d67ce91288bade016f9e1918164f61e5ad97cd98ffa7bd1a431245607f788049a842333d33bf106b9e36098a1f91107039b6dfb
SSDEEP

768:bgX4zYcgTEu6QOaryfjqDlC6JFbK37Yl6IMhyX9:bgGYcA/53GAA6y37Q6z8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	84e7cca7d11d4560cc1d6cfdd14e102f.exe

Executes dropped EXE 1 IoCs

pid	Process
1680	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1680	1648	84e7cca7d11d4560cc1d6cfdd14e102f.exe	86
PID 1648 wrote to memory of 1680	1648	84e7cca7d11d4560cc1d6cfdd14e102f.exe	86
PID 1648 wrote to memory of 1680	1648	84e7cca7d11d4560cc1d6cfdd14e102f.exe	86

C:\Users\Admin\AppData\Local\Temp\84e7cca7d11d4560cc1d6cfdd14e102f.exe
"C:\Users\Admin\AppData\Local\Temp\84e7cca7d11d4560cc1d6cfdd14e102f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
46KB

MD5
42429a9e63b880e1f4719f89f38b9a15

SHA1
268765b5f6d118b64f5802770c3ce8adf1536172

SHA256
07fa2a0af41759792c5c31db4bc956434ed365cb517f21258279c014821c4135

SHA512
aabf1a84bcededc16bbbe5e786cf5768e6b8b14e5df298f914d4928b9796f3783158b964c01d2a6bffa65cdbb0056f3647fb79604e1563d23cc619e65a65fb1a

Download Submit
memory/1648-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/1648-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/1648-2-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download
memory/1680-17-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download
memory/1680-21-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download