85c68afc84f2ff1b282b12c64c10f559c8de22a3e46b8cd03d09f95fb82f3a18

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 17:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a25c9e0db567e8860dd5b44bb1f78696.exe
Size

1.6MB
MD5

a25c9e0db567e8860dd5b44bb1f78696
SHA1

2b074514d036c658e181c4ceb33726e83eadee85
SHA256

85c68afc84f2ff1b282b12c64c10f559c8de22a3e46b8cd03d09f95fb82f3a18
SHA512

739a17492a14d9a0573bb885e475290f04382011f0eb5d495bc682b9a7781d59bb1ae0256594974f5cd97652b2af82aeda75cc84d4d99a70500aca198ece3363
SSDEEP

49152:/Zgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9E:/GIjR1Oh0To

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	a25c9e0db567e8860dd5b44bb1f78696.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4904	a25c9e0db567e8860dd5b44bb1f78696.exe
4904	a25c9e0db567e8860dd5b44bb1f78696.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4904	a25c9e0db567e8860dd5b44bb1f78696.exe
4904	a25c9e0db567e8860dd5b44bb1f78696.exe
4904	a25c9e0db567e8860dd5b44bb1f78696.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 1988	4904	a25c9e0db567e8860dd5b44bb1f78696.exe	87
PID 4904 wrote to memory of 1988	4904	a25c9e0db567e8860dd5b44bb1f78696.exe	87
PID 4904 wrote to memory of 1988	4904	a25c9e0db567e8860dd5b44bb1f78696.exe	87

C:\Users\Admin\AppData\Local\Temp\a25c9e0db567e8860dd5b44bb1f78696.exe
"C:\Users\Admin\AppData\Local\Temp\a25c9e0db567e8860dd5b44bb1f78696.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\15523.bat" "C:\Users\Admin\AppData\Local\Temp\F30E8FBB70D941B088FAA5A00A4ED621\""
  2⤵
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15523.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\F30E8FBB70D941B088FAA5A00A4ED621\F30E8FBB70D941B088FAA5A00A4ED621_LogFile.txt

Filesize
1KB

MD5
049978273e6b48b177de2b8c46b0998d

SHA1
5e1341852d76cabb45b05269ab72d27adbd9d8e5

SHA256
e0876d41a63720e439c8dd1eedfefa8ab035a40d214e82ec8260bf763b133527

SHA512
be3b55096e7e63f7040ebbcf5f7a2b34c77c5d10c5736cc13ed89f67a941dff2abe03730bab3ef89445a6512bbca0b602bdf5785bb3c1eab559eb2cbd102c212

Download Submit
C:\Users\Admin\AppData\Local\Temp\F30E8FBB70D941B088FAA5A00A4ED621\F30E8FBB70D941B088FAA5A00A4ED621_LogFile.txt

Filesize
771B

MD5
7ead2e1027afb91dd04b040dbb80bd30

SHA1
669b71cb3914915a5969f62ee9ed07813abd3cdb

SHA256
1951dc1e4a2a1e41a6860ecbce0758e42e05d9b3c3c0b3a7a09fb235639fe4ed

SHA512
67964586ab0b6ff4c0c0eaa7761e4e895bb1e89056801d9419eec41cfd25418c200e84272f26f9c193ce489b86d06971b7155c3f2ad8d4dab32671849ac80925

Download Submit
C:\Users\Admin\AppData\Local\Temp\F30E8FBB70D941B088FAA5A00A4ED621\F30E8FBB70D941B088FAA5A00A4ED621_LogFile.txt

Filesize
2KB

MD5
c9b970a2c117d360fb5731d996fdee28

SHA1
fe4f22de867d2766d23f6d0e9f5b10be7a6a3147

SHA256
894424a0e5e58dea4296e91a71236b521524c7b790ff760ffddbda6bbc7b1343

SHA512
ef0dd84ee78eed9c1aa9a817edde5df8351d94f13dab6240a6ed98dace57355168fed73823aec16b628663fd1b1828821f8f2d38054421a2d650fa167d337fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F30E8FBB70D941B088FAA5A00A4ED621\F30E8FBB70D941B088FAA5A00A4ED621_LogFile.txt

Filesize
5KB

MD5
a2ce997932278c49a7ac9782ab63be10

SHA1
8fe5d72178bc88161464165c1277f3ae80eb02c6

SHA256
b05d89e69d2a6c799b486289f90f6d294f418bd67855a3164fbf527a22dee3ab

SHA512
21dbb8831ecf0c49f06023f2a862ab8d1cd1f6bf5fdfce4964327878013b47cc5f586aa48241ffbbca123adcfcc12b8ad517a517ac3618f2427752ab1b40d9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\F30E8FBB70D941B088FAA5A00A4ED621\F30E8F~1.TXT

Filesize
102KB

MD5
5ee972cf825bed599f66c2b7a1146f8d

SHA1
79aaa9ab6a2c57b54f1e35e13cf4c7093bb25215

SHA256
4a2608df696eba5407c44cd9070934d564c59d6d1a88179c27f711145d8141f3

SHA512
3b508e637d7da99bd250b6883a2f48010bd1130914b1c2e1e286dced79318a0e20a1fb2ed2976b8c2f2cc125484befc48f5c6ca85f9dedaf084937b6a36c9329

Download Submit
memory/4904-63-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download