219bd57602fa133b4639b260576032befb08c42faf679d266c29da17e243f384

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2024, 17:34

Target

219bd57602fa133b4639b260576032befb08c42faf679d266c29da17e243f384.exe
Size

126KB
MD5

45b459a3d2625d9b5f3ae1f8678875ea
SHA1

b1641e15874b8fcff6b16bddda088732afcf85d9
SHA256

219bd57602fa133b4639b260576032befb08c42faf679d266c29da17e243f384
SHA512

12b6d82ae1f5bf74de6fdade4b3f63b4db8bde79c6ce0029ae0b65dec27202ac722bafeb8773db5f2bc0466627c1a1850b53ef914bed7cbaa5870a6e9f972f79
SSDEEP

3072:4sPYTYZhyfgRdUsKvLeB+OBmPODatu5TPuJSdqhmlu:4bYZMs3sM+OmPt8lOmu

Score

7^/10

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	219bd57602fa133b4639b260576032befb08c42faf679d266c29da17e243f384.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	219bd57602fa133b4639b260576032befb08c42faf679d266c29da17e243f384.exe
File opened (read-only)	\??\F:	219bd57602fa133b4639b260576032befb08c42faf679d266c29da17e243f384.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption	219bd57602fa133b4639b260576032befb08c42faf679d266c29da17e243f384.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText	219bd57602fa133b4639b260576032befb08c42faf679d266c29da17e243f384.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

Defacement

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\Wallpaper	219bd57602fa133b4639b260576032befb08c42faf679d266c29da17e243f384.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 4252	4032	219bd57602fa133b4639b260576032befb08c42faf679d266c29da17e243f384.exe	88
PID 4032 wrote to memory of 4252	4032	219bd57602fa133b4639b260576032befb08c42faf679d266c29da17e243f384.exe	88
PID 4032 wrote to memory of 4252	4032	219bd57602fa133b4639b260576032befb08c42faf679d266c29da17e243f384.exe	88
PID 4252 wrote to memory of 4656	4252	cmd.exe	90
PID 4252 wrote to memory of 4656	4252	cmd.exe	90
PID 4252 wrote to memory of 4656	4252	cmd.exe	90