fc96295f8b6d70c902f22aaa7c043fa2ed917e8286385c3722a4aea47925c7cf

Analysis

max time kernel
166s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc96295f8b6d70c902f22aaa7c043fa2ed917e8286385c3722a4aea47925c7cf.exe
Size

345KB
MD5

3d8e3397cf623c090684ff3c5600a9a2
SHA1

71cd356dd1bef4497cf193606e5bf435a2f75ac0
SHA256

fc96295f8b6d70c902f22aaa7c043fa2ed917e8286385c3722a4aea47925c7cf
SHA512

752c7d0bb42b948414e05e2be6b9e490d84e019893f57df0624b905cc1083197a27a07ed861f3cb96e9d5448d7435241cb7110f119efbc5a1a73920e8f9e4edb
SSDEEP

6144:QiubWrNSOetO6cprlQAOWizGLIoSd1sUZrqE:3ubsNSOetfARQAPyGUbTrx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	fc96295f8b6d70c902f22aaa7c043fa2ed917e8286385c3722a4aea47925c7cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1436	2924	fc96295f8b6d70c902f22aaa7c043fa2ed917e8286385c3722a4aea47925c7cf.exe	93
PID 2924 wrote to memory of 1436	2924	fc96295f8b6d70c902f22aaa7c043fa2ed917e8286385c3722a4aea47925c7cf.exe	93
PID 2924 wrote to memory of 1436	2924	fc96295f8b6d70c902f22aaa7c043fa2ed917e8286385c3722a4aea47925c7cf.exe	93
PID 1436 wrote to memory of 444	1436	cmd.exe	96
PID 1436 wrote to memory of 444	1436	cmd.exe	96
PID 1436 wrote to memory of 444	1436	cmd.exe	96
PID 444 wrote to memory of 208	444	mshta.exe	99
PID 444 wrote to memory of 208	444	mshta.exe	99
PID 444 wrote to memory of 208	444	mshta.exe	99

C:\Users\Admin\AppData\Local\Temp\fc96295f8b6d70c902f22aaa7c043fa2ed917e8286385c3722a4aea47925c7cf.exe
"C:\Users\Admin\AppData\Local\Temp\fc96295f8b6d70c902f22aaa7c043fa2ed917e8286385c3722a4aea47925c7cf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Uninstall_extension_tools.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\mshta.exe
    mshta vbscript:createobject("wscript.shell").run("""Uninstall_extension_tools.bat"" h",0)(window.close)
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Uninstall_extension_tools.bat" h"
      4⤵
      PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Uninstall_extension_tools.bat

Filesize
272B

MD5
928edcad54ab54d9507be43018f06e25

SHA1
147bdb5a8d9e02fcdd0e60ea43f4c0b924c70853

SHA256
9b9a7a5d502676502b15cd7a69d71c95fde40346eada82d1b3ff98dfb15b15e2

SHA512
e4a5d1bb4fee06339fad3a3f40244d2aa5a502a40a73c61fa047d559839a280cb29a8793991f05b6c5b8e0143a6ca05a8c484f7a820af9531dc54016944999e8

Download Submit