50162d05f7e70ae0167b57444408355f6cfdc16f7429f1a5b85e3d07fd7d404d

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b484c5a9a197e3428607ddf2338e0834.exe
Size

286KB
MD5

b484c5a9a197e3428607ddf2338e0834
SHA1

01617b2e628cfc8f4c81ea84d438a80aea2db0e6
SHA256

50162d05f7e70ae0167b57444408355f6cfdc16f7429f1a5b85e3d07fd7d404d
SHA512

093d5b7995a61cd6d3bdd698199a108268aa08eb220d7a67644f512cd26ced296f0f2dc016289a7df4ba59dd84251c818871a51b45179a2c2dba2305fad5c209
SSDEEP

6144:gu2urzh9xu/XkauBN7d7ykx6AllSDqFVk6rwcuJFRJfsR:gutrzh9xOXk7Bykx6AVkrDnRtW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	b484c5a9a197e3428607ddf2338e0834.exe

Executes dropped EXE 1 IoCs

pid	Process
748	enable.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 700 wrote to memory of 748	700	b484c5a9a197e3428607ddf2338e0834.exe	90
PID 700 wrote to memory of 748	700	b484c5a9a197e3428607ddf2338e0834.exe	90
PID 700 wrote to memory of 748	700	b484c5a9a197e3428607ddf2338e0834.exe	90

C:\Users\Admin\AppData\Local\Temp\b484c5a9a197e3428607ddf2338e0834.exe
"C:\Users\Admin\AppData\Local\Temp\b484c5a9a197e3428607ddf2338e0834.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:700
- C:\Users\Admin\AppData\Local\Temp\enable.exe
  "C:\Users\Admin\AppData\Local\Temp\enable.exe"
  2⤵
  - Executes dropped EXE
  PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\enable.exe

Filesize
149KB

MD5
41aad1bb0cba71f44e15dc658a12948f

SHA1
8eea74b9f58481e522e2e7c43bd9190b6ab6eb9b

SHA256
d143f6b6087c66753f1d34077f270ef31778248d918daa2552a51748b78a614b

SHA512
4da9f3d89c36f1988d8d789536634b680596a7737fca3b17643555bf5ad6a6d98bb03068dc9fe558f797053218e40af8cd373034f211e70a12ad6d6522a09727

Download Submit
C:\Users\Admin\AppData\Local\Temp\enable.exe

Filesize
463KB

MD5
34fcadca099fc80880220251fd3e4128

SHA1
8675f2a04fcbd9a71a6508aebbbd7a780c4fa71e

SHA256
94193c4b547cd80cc066da6b7dc09e392fa187710fcbb934afdc64a2adeb96ff

SHA512
6b32d1f83b79830fcf07fcb9df5a29bf758b93e50f31b10615da6cb43cbd4e855e278ff5bf7243da04b7d5a919e4dbc8d11f0d1c93bb2c8699b37a80d3f86d7f

Download Submit
memory/748-9-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/748-10-0x0000000005240000-0x00000000052BB000-memory.dmp

Filesize
492KB

Download
memory/748-12-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/748-26-0x0000000005240000-0x00000000052BB000-memory.dmp

Filesize
492KB

Download