cfc4a9c88dfd582a9146ffcac40af898755d7fcb372aaaade5627fa09ad9b497

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5e5602f5d31013cf079f27284fe33f8.exe
Size

3.4MB
MD5

b5e5602f5d31013cf079f27284fe33f8
SHA1

3469fb7cb8a9525d2e6762e80986c86f1d0aba63
SHA256

cfc4a9c88dfd582a9146ffcac40af898755d7fcb372aaaade5627fa09ad9b497
SHA512

ba7e38cfc426622d5a9bac11770f38f4cbd9140cbe62143ea442ba4a011900f10357484eebc3e3a6bc4c9ef094928b02d8b9a754f1f684a0f1c8be397aad718b
SSDEEP

49152:P5RVdJK4h+ZXuGOwg8S1WCfftlBO6XwhO+yAWZTSEFeodqN/i4fWxEXqBB:84h+Z+GOwiWCffJO42O/1FexK3B

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
49	3004	cmd.exe
52	3004	cmd.exe
54	3004	cmd.exe
66	3004	cmd.exe
67	3004	cmd.exe
96	3004	cmd.exe
97	3004	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	b5e5602f5d31013cf079f27284fe33f8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	UU5IfqQxsBw.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UU5IfqQxsBw.exe	b5e5602f5d31013cf079f27284fe33f8.exe

Executes dropped EXE 2 IoCs

pid	Process
1940	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
1408	UU5IfqQxsBw.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 232	688	b5e5602f5d31013cf079f27284fe33f8.exe	88
PID 688 wrote to memory of 232	688	b5e5602f5d31013cf079f27284fe33f8.exe	88
PID 688 wrote to memory of 232	688	b5e5602f5d31013cf079f27284fe33f8.exe	88
PID 232 wrote to memory of 1940	232	b5e5602f5d31013cf079f27284fe33f8.exe	98
PID 232 wrote to memory of 1940	232	b5e5602f5d31013cf079f27284fe33f8.exe	98
PID 232 wrote to memory of 1940	232	b5e5602f5d31013cf079f27284fe33f8.exe	98
PID 1940 wrote to memory of 1408	1940	UU5IfqQxsBw.exe	99
PID 1940 wrote to memory of 1408	1940	UU5IfqQxsBw.exe	99
PID 1940 wrote to memory of 1408	1940	UU5IfqQxsBw.exe	99
PID 1408 wrote to memory of 3004	1408	UU5IfqQxsBw.exe	103
PID 1408 wrote to memory of 3004	1408	UU5IfqQxsBw.exe	103
PID 1408 wrote to memory of 3004	1408	UU5IfqQxsBw.exe	103
PID 1408 wrote to memory of 3004	1408	UU5IfqQxsBw.exe	103
PID 1408 wrote to memory of 3004	1408	UU5IfqQxsBw.exe	103

C:\Users\Admin\AppData\Local\Temp\b5e5602f5d31013cf079f27284fe33f8.exe
"C:\Users\Admin\AppData\Local\Temp\b5e5602f5d31013cf079f27284fe33f8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:688
- C:\Users\Admin\AppData\Local\Temp\b5e5602f5d31013cf079f27284fe33f8.exe
  "C:\Users\Admin\AppData\Local\Temp\b5e5602f5d31013cf079f27284fe33f8.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UU5IfqQxsBw.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UU5IfqQxsBw.exe" "C:\Users\Admin\AppData\Local\Temp\b5e5602f5d31013cf079f27284fe33f8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UU5IfqQxsBw.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UU5IfqQxsBw.exe" "C:\Users\Admin\AppData\Local\Temp\b5e5602f5d31013cf079f27284fe33f8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UU5IfqQxsBw.exe

Filesize
3.4MB

MD5
7090bb34c315ce62be4d7fdafd1292e2

SHA1
a87471d7deac135e955f044ca16bd440b9c83c81

SHA256
e39ced2a963ffe3a341831997eefb3f343b32ef28c1bde7113ac2190b028ce81

SHA512
3346f20d033f78336df99ae6e2a7afc3fe4f36f1ed0744224c490869cea615ca6e790de6e4bcdd085d370230849bb1df619dbb43668ae00ca1b380eea360f96e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UU5IfqQxsBw.exe

Filesize
850KB

MD5
1de8b41a80e5f29a8da46b6dca3095c0

SHA1
4df3bd94da4bc2e2859bf163fcd8d8f71b2c3350

SHA256
9adb75234144844634f0202439f19647a947d70fd6cefcc3f562d28a37c6f417

SHA512
386c792dddcb7ea71f1069585ad214f7e77d331b9278da36687f1482b2fb337d00d43a8eaf48fb991cbcfb6fad2283d42693ce6ae5893ba4cc390a464c69c9f7

Download Submit
memory/232-1-0x0000000000A50000-0x0000000000AEE000-memory.dmp

Filesize
632KB

Download
memory/232-3-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/232-14-0x0000000000A50000-0x0000000000AEE000-memory.dmp

Filesize
632KB

Download
memory/688-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/688-2-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1408-19-0x0000000077D32000-0x0000000077D33000-memory.dmp

Filesize
4KB

Download
memory/1408-17-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1408-18-0x0000000002A80000-0x0000000002B1E000-memory.dmp

Filesize
632KB

Download
memory/1408-30-0x0000000002A80000-0x0000000002B1E000-memory.dmp

Filesize
632KB

Download
memory/1408-20-0x0000000077D32000-0x0000000077D33000-memory.dmp

Filesize
4KB

Download
memory/1408-22-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1408-21-0x0000000077D32000-0x0000000077D33000-memory.dmp

Filesize
4KB

Download
memory/1408-23-0x0000000077D32000-0x0000000077D33000-memory.dmp

Filesize
4KB

Download
memory/1408-24-0x0000000077D32000-0x0000000077D33000-memory.dmp

Filesize
4KB

Download
memory/1408-25-0x0000000077D32000-0x0000000077D33000-memory.dmp

Filesize
4KB

Download
memory/1408-26-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1408-27-0x0000000077D32000-0x0000000077D33000-memory.dmp

Filesize
4KB

Download
memory/1940-16-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3004-33-0x0000000077D32000-0x0000000077D33000-memory.dmp

Filesize
4KB

Download
memory/3004-44-0x0000000004C50000-0x0000000004CCE000-memory.dmp

Filesize
504KB

Download
memory/3004-28-0x00000000005B0000-0x0000000000649000-memory.dmp

Filesize
612KB

Download
memory/3004-34-0x0000000077D32000-0x0000000077D33000-memory.dmp

Filesize
4KB

Download
memory/3004-35-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/3004-36-0x0000000077D32000-0x0000000077D33000-memory.dmp

Filesize
4KB

Download
memory/3004-37-0x0000000077D32000-0x0000000077D33000-memory.dmp

Filesize
4KB

Download
memory/3004-38-0x0000000077D32000-0x0000000077D33000-memory.dmp

Filesize
4KB

Download
memory/3004-39-0x0000000077D32000-0x0000000077D33000-memory.dmp

Filesize
4KB

Download
memory/3004-40-0x0000000000B70000-0x0000000000C0E000-memory.dmp

Filesize
632KB

Download
memory/3004-41-0x0000000000B70000-0x0000000000C0E000-memory.dmp

Filesize
632KB

Download
memory/3004-42-0x0000000004C00000-0x0000000004C49000-memory.dmp

Filesize
292KB

Download
memory/3004-43-0x0000000000B70000-0x0000000000C0E000-memory.dmp

Filesize
632KB

Download
memory/3004-31-0x0000000000B70000-0x0000000000C0E000-memory.dmp

Filesize
632KB

Download
memory/3004-45-0x0000000004EF0000-0x0000000004FDA000-memory.dmp

Filesize
936KB

Download
memory/3004-46-0x0000000004D30000-0x0000000004DED000-memory.dmp

Filesize
756KB

Download
memory/3004-47-0x0000000008F50000-0x000000000915B000-memory.dmp

Filesize
2.0MB

Download
memory/3004-48-0x0000000005BE0000-0x0000000005C87000-memory.dmp

Filesize
668KB

Download
memory/3004-49-0x00000000049D0000-0x00000000049F1000-memory.dmp

Filesize
132KB

Download
memory/3004-50-0x0000000000B70000-0x0000000000C0E000-memory.dmp

Filesize
632KB

Download
memory/3004-51-0x0000000008920000-0x0000000008CB4000-memory.dmp

Filesize
3.6MB

Download
memory/3004-52-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/3004-53-0x0000000004C00000-0x0000000004C49000-memory.dmp

Filesize
292KB

Download
memory/3004-54-0x0000000004D30000-0x0000000004DED000-memory.dmp

Filesize
756KB

Download
memory/3004-55-0x0000000008F50000-0x000000000915B000-memory.dmp

Filesize
2.0MB

Download
memory/3004-56-0x0000000005BE0000-0x0000000005C87000-memory.dmp

Filesize
668KB

Download
memory/3004-57-0x0000000008920000-0x0000000008CB4000-memory.dmp

Filesize
3.6MB

Download