4c757c5ceb0d7f467bc5e618d563fb768bfcadd97aad9aeeef45438fb068d4f1

Analysis

max time kernel
175s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1ccc4e2c2d63770759f79934dec0971.exe
Size

957KB
MD5

a1ccc4e2c2d63770759f79934dec0971
SHA1

cd73f422ef3f54bcb5c653c36596270fb1a32f29
SHA256

4c757c5ceb0d7f467bc5e618d563fb768bfcadd97aad9aeeef45438fb068d4f1
SHA512

029ed4e7aa236c25403614baef03bb2d27789187eabe35ba99b2a2bae16e292de6fafaae405a2ee80c552b2d1d1d685361cd5caa51e2c5f330d0ceb169f920c1
SSDEEP

12288:BNuF2OPlgCxbUuqEolqhlBG0EZRYx35Ua8wvJfiU3us5NhOblYNTwUkVQ+PYJ/tN:BNuFhCwUuqDluBMfEhJX3z5mKhwbLenv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation	a1ccc4e2c2d63770759f79934dec0971.exe

Loads dropped DLL 2 IoCs

pid	Process
3804	a1ccc4e2c2d63770759f79934dec0971.exe
3804	a1ccc4e2c2d63770759f79934dec0971.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3804	a1ccc4e2c2d63770759f79934dec0971.exe
3804	a1ccc4e2c2d63770759f79934dec0971.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 2324	3804	a1ccc4e2c2d63770759f79934dec0971.exe	92
PID 3804 wrote to memory of 2324	3804	a1ccc4e2c2d63770759f79934dec0971.exe	92
PID 3804 wrote to memory of 2324	3804	a1ccc4e2c2d63770759f79934dec0971.exe	92
PID 3804 wrote to memory of 3684	3804	a1ccc4e2c2d63770759f79934dec0971.exe	95
PID 3804 wrote to memory of 3684	3804	a1ccc4e2c2d63770759f79934dec0971.exe	95
PID 3804 wrote to memory of 3684	3804	a1ccc4e2c2d63770759f79934dec0971.exe	95

C:\Users\Admin\AppData\Local\Temp\a1ccc4e2c2d63770759f79934dec0971.exe
"C:\Users\Admin\AppData\Local\Temp\a1ccc4e2c2d63770759f79934dec0971.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\smes\u.bat"
  2⤵
  PID:2324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat"
  2⤵
  PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\smes\u.bat

Filesize
44B

MD5
704efba1aee1454561da552dda430498

SHA1
d20fb96683f769eb9cef1b0a068bcba70aeab9c2

SHA256
80b08d35bd27636e0774ce35ab57306f76edc6a0f7058cb1f93733cdf88bf94c

SHA512
7e0c9ede686238703af4893af8842c05c48ab1681ae273b32d8085cf1a17aae946c0c823a0a418787522a551d684367259ff8203ebca6e4ec69b6ded95231bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdDA92.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdDA92.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat

Filesize
121B

MD5
5759c683286669ac8bd914f08d4ad7a8

SHA1
ebb3f81e93df7ab47e13becac4364255a9c44e9d

SHA256
ac52e633835741e87caaabc511e4b79e25cfef63d18f42849b6b4095f9471bdc

SHA512
7c92507c80e5d16c50eb684e0cdbdcbc0a20a5462a583b2ef032ccbe411f34b7827912dc9ed2bf23c479a63707702a413265421c56c1ddc48897289a87f3dfc0

Download Submit
memory/3804-5-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download