ece8a18ca4213a95ef9b7d6f9bf18b81572c159cf2c7a836d70e2716cc7253da

Analysis

max time kernel
141s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Danger/Danger.exe.lnk
Size

754B
MD5

3aa93f1683c12eda4052f23f41dbc3f5
SHA1

b7882957f4dbe44635090b03549e4caf46904f95
SHA256

0f910c6ab06b9a7b71bafd53fae092e83fb260f91e6b2046938aa8d3028b4d6b
SHA512

8ba33c3c408780b613ec2f26823383e73d316c59f9463bfa703652b1dd86e639b96c5b1d56d9c81da61ee431546216575d520b357d0bf8af686b15606255f1ac

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2428	cmdbkg.exe
2428	cmdbkg.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 4340	1192	cmd.exe	88
PID 1192 wrote to memory of 4340	1192	cmd.exe	88
PID 1192 wrote to memory of 4340	1192	cmd.exe	88
PID 4340 wrote to memory of 4940	4340	Danger.exe	90
PID 4340 wrote to memory of 4940	4340	Danger.exe	90
PID 4940 wrote to memory of 2908	4940	cmd.exe	92
PID 4940 wrote to memory of 2908	4940	cmd.exe	92
PID 4940 wrote to memory of 4324	4940	cmd.exe	94
PID 4940 wrote to memory of 4324	4940	cmd.exe	94
PID 4940 wrote to memory of 4324	4940	cmd.exe	94
PID 4324 wrote to memory of 2428	4324	cmdbkg.exe	95
PID 4324 wrote to memory of 2428	4324	cmdbkg.exe	95
PID 4324 wrote to memory of 2428	4324	cmdbkg.exe	95

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Danger\Danger.exe.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\Danger\Danger.exe
  "C:\Users\Admin\AppData\Local\Temp\Danger\Danger.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3C8C.tmp\3C8D.tmp\3C8E.bat C:\Users\Admin\AppData\Local\Temp\Danger\Danger.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\Danger\cmdbkg.exe
      cmdbkg anon.jpg /t 30 /c /b
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Users\Admin\AppData\Local\Temp\Danger\cmdbkg.exe
        
        cmdbkg anon.jpg /t 30 /c /b
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3C8C.tmp\3C8D.tmp\3C8E.bat

Filesize
2KB

MD5
2d65b6e5544d98e77b8091cd73ae1843

SHA1
c4670cf1876484ab2df8059608248cec20e37152

SHA256
0a8248ff4b5a2f17babd05dfc19d7f6333d1e58e9996308ae08064b90827d0a5

SHA512
a40b507bf4c5b3d4a5f0eebc1c1b0d652d63dc674890caf06c389f6a1427a4ba3a22f3a62d3dd8874e0aac7aa890a31cf76198b7caa0e7d78bb150af39182943

Download Submit
memory/2428-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4324-4-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download