f7dc2a27dfd8beb086c2d6c41aae33990005174766ffd0872299b5a3144d9134

Analysis

max time kernel
153s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4ca5d6d5a03490edccfb52ee9d1a32e.exe
Size

48KB
MD5

b4ca5d6d5a03490edccfb52ee9d1a32e
SHA1

6c7588c310674bb2529b7bbaf63947ab482773f2
SHA256

f7dc2a27dfd8beb086c2d6c41aae33990005174766ffd0872299b5a3144d9134
SHA512

336d905f6c7021c62a596c44b39bf9c7a1e4b57b2e653ea444251a905a11b323744764374a4a59fdec9769c8c2c92b3a83c3666b011a069b7a1540c5c7514e78
SSDEEP

768:EyW1yBtObv0U/xwPp0EoooiYECG2nZF5sZVcmxA:24Bobv7aB0EooYEC3rUVcYA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	b4ca5d6d5a03490edccfb52ee9d1a32e.exe

Executes dropped EXE 1 IoCs

pid	Process
1568	zbhnd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1568	1216	b4ca5d6d5a03490edccfb52ee9d1a32e.exe	90
PID 1216 wrote to memory of 1568	1216	b4ca5d6d5a03490edccfb52ee9d1a32e.exe	90
PID 1216 wrote to memory of 1568	1216	b4ca5d6d5a03490edccfb52ee9d1a32e.exe	90

C:\Users\Admin\AppData\Local\Temp\b4ca5d6d5a03490edccfb52ee9d1a32e.exe
"C:\Users\Admin\AppData\Local\Temp\b4ca5d6d5a03490edccfb52ee9d1a32e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
  "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
  2⤵
  - Executes dropped EXE
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

Filesize
48KB

MD5
5a52cffb7d7e6b929c296539b43338da

SHA1
94027479a4f5069e109cec72de9c8face51970e8

SHA256
7068ca405a376449893314cd2a12eff65b0c5d81fb8449466792191e169beffb

SHA512
6f92ec586e9dc559b48fc0f633d0433c753dab253707443cdc0a90361e795c13b250260af5f07c01f4a662264f4defb66fd2363b51413ce6e4c2ceda2d122df3

Download Submit
memory/1216-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1216-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1568-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download