3edd4c2069f7e60cb5ba0698b33d876fb0cf49337947c89023dc986d3f9ff34a

Analysis

max time kernel
116s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9ad96be79e5f8152f1b447610598b0d.exe
Size

94KB
MD5

b9ad96be79e5f8152f1b447610598b0d
SHA1

8225f24b54541f508671ef1e66eaec3de1d0bd45
SHA256

3edd4c2069f7e60cb5ba0698b33d876fb0cf49337947c89023dc986d3f9ff34a
SHA512

f7a6c36fda417c2233f4651256c86cdd251be533496f35e78e998f7c7cf7aa38d39f01ecfe1d7209975fbf4d20e562d768d9e85861e0e7bfdbf43d67e0021097
SSDEEP

1536:M9c//cQk4w68KXJnml4KBMrlx764OMGDoFVa2FwFIy:kcMQk431mulRPEiETFIy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	b9ad96be79e5f8152f1b447610598b0d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 3196	3296	b9ad96be79e5f8152f1b447610598b0d.exe	91
PID 3296 wrote to memory of 3196	3296	b9ad96be79e5f8152f1b447610598b0d.exe	91
PID 3296 wrote to memory of 3196	3296	b9ad96be79e5f8152f1b447610598b0d.exe	91

C:\Users\Admin\AppData\Local\Temp\b9ad96be79e5f8152f1b447610598b0d.exe
"C:\Users\Admin\AppData\Local\Temp\b9ad96be79e5f8152f1b447610598b0d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Mhj..bat" > nul 2> nul
  2⤵
  PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mhj..bat

Filesize
210B

MD5
c5dfe74a95752e327f9b684551cddc5c

SHA1
945ec6641fbb3c7cd6058cd3e6f2fe9cfd759073

SHA256
4e4d4f9251bf90a0cb00f9fc1366209b106c3d70e707fb41deb70cd73c589e96

SHA512
857b022e7bdf08f7499ed24d869760e55b24b61f40e1faa9d02b08d5a874b4c1239dab95889a7fef59bb79e79068a6f779d7cebb80b07292a7de8896caa5d612

Download Submit
memory/3296-2-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3296-1-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/3296-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3296-4-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/3296-3-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/3296-6-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download