fb33fa97061e58e8e4d2232a2c5c1912aaf70eb25f92c42013ce4211d2e1104b

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/02/2024, 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb33fa97061e58e8e4d2232a2c5c1912aaf70eb25f92c42013ce4211d2e1104b.exe
Size

4.2MB
MD5

d65dbd51a99b7b0b6eaa7041b94349fa
SHA1

e77180ded2c4c5abeda156f7b6f1aaa130990980
SHA256

fb33fa97061e58e8e4d2232a2c5c1912aaf70eb25f92c42013ce4211d2e1104b
SHA512

0eb42ea5df8a1f0323dcab86f38df38e753e5a2b3d66903932c4da5802474b1a6aaf84a731c46506efc8467bd299185009ab9ea84935b061dbf076e053251b8b
SSDEEP

49152:8wdhBkGMb18MLjRkRl+2HxYc0vFuvNX/oj6nPtISw1cDyd/A0tm/Y+G7/v/U3EQE:8wdhBkGMb188jaz+2RYGwWedUYdTv/U

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	fb33fa97061e58e8e4d2232a2c5c1912aaf70eb25f92c42013ce4211d2e1104b.exe

Executes dropped EXE 1 IoCs

pid	Process
3476	mMp13ea6Zw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 3476	2608	fb33fa97061e58e8e4d2232a2c5c1912aaf70eb25f92c42013ce4211d2e1104b.exe	90
PID 2608 wrote to memory of 3476	2608	fb33fa97061e58e8e4d2232a2c5c1912aaf70eb25f92c42013ce4211d2e1104b.exe	90
PID 2608 wrote to memory of 3476	2608	fb33fa97061e58e8e4d2232a2c5c1912aaf70eb25f92c42013ce4211d2e1104b.exe	90

C:\Users\Admin\AppData\Local\Temp\fb33fa97061e58e8e4d2232a2c5c1912aaf70eb25f92c42013ce4211d2e1104b.exe
"C:\Users\Admin\AppData\Local\Temp\fb33fa97061e58e8e4d2232a2c5c1912aaf70eb25f92c42013ce4211d2e1104b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Local\Temp\mMp13ea6Zw.exe
  "C:\Users\Admin\AppData\Local\Temp\mMp13ea6Zw.exe"
  2⤵
  - Executes dropped EXE
  PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mMp13ea6Zw.exe

Filesize
2.1MB

MD5
4b9b8bd833c933f97758999eb19d5cac

SHA1
2c968cab45dc123f6ed0179eaad8e3116e86147a

SHA256
8d4b27549ed9fc0264fb3dcc2159d62f1993a35aa5ce1b715d79359f56f547df

SHA512
07d0d7cc42a53154cb616116abc99ac56418cd4ade74cce6aae7ba274c05695c68e97bf7b11b95f9bf7fd527528e041a6c9b76e9ab73639b9539cd38a92036fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMp13ea6Zw.exe

Filesize
768KB

MD5
8ec3decd277a171f5e59951b3086baaa

SHA1
b86a467e3ae82690bf024b79d0bf7be7e75e3e0e

SHA256
6ee59ffe1e2440f10ecf7f4508304ddbc736ed596190c7655e9d476b97e718af

SHA512
a24818c1723302e6f5d5cf8f5c59563fe7fc49129b36b6ce9c2cc7a56325df91babe640da8cd75c24865c84f67384a32d8f0c98249d38a4259bed15740f07d9e

Download Submit
memory/2608-11-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/3476-10-0x0000000000400000-0x0000000000635000-memory.dmp

Filesize
2.2MB

Download