fb82418fc21bc10d4b1a1115adfbe16f4d65cb9935e72475e3ffc172f4701568

Analysis

max time kernel
142s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb82418fc21bc10d4b1a1115adfbe16f4d65cb9935e72475e3ffc172f4701568.exe
Size

462KB
MD5

047852f254f727f3ece3da7d9e02a890
SHA1

fe2c5c5255fc718b2e1c12fe5595822087ea8e7e
SHA256

fb82418fc21bc10d4b1a1115adfbe16f4d65cb9935e72475e3ffc172f4701568
SHA512

fa6e11ad34666b9d0a54db57ad48e494e268a6be850c3421149021431bedc47a849a53d0f68c667c19739cf2afa06a40aabafff09722929d57e8cbe3661c7b4d
SSDEEP

6144:/igf1QLinMjG5kdHsBd8HkZvLJ0DJKtJoUTx5JPccJM+FtkedAqsPBXi54F5zVR9:/igfOL2M+kygH2LdlTgfB1o02qL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	14Q25.exe

Executes dropped EXE 1 IoCs

pid	Process
4436	14Q25.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
620	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 4436	2044	fb82418fc21bc10d4b1a1115adfbe16f4d65cb9935e72475e3ffc172f4701568.exe	88
PID 2044 wrote to memory of 4436	2044	fb82418fc21bc10d4b1a1115adfbe16f4d65cb9935e72475e3ffc172f4701568.exe	88
PID 2044 wrote to memory of 4436	2044	fb82418fc21bc10d4b1a1115adfbe16f4d65cb9935e72475e3ffc172f4701568.exe	88
PID 4436 wrote to memory of 4224	4436	14Q25.exe	94
PID 4436 wrote to memory of 4224	4436	14Q25.exe	94
PID 4436 wrote to memory of 4224	4436	14Q25.exe	94

C:\Users\Admin\AppData\Local\Temp\fb82418fc21bc10d4b1a1115adfbe16f4d65cb9935e72475e3ffc172f4701568.exe
"C:\Users\Admin\AppData\Local\Temp\fb82418fc21bc10d4b1a1115adfbe16f4d65cb9935e72475e3ffc172f4701568.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\14Q25.exe
  C:\14Q25.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe" C:\YvYjtf.exe
    3⤵
    PID:4224

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\14Q25.exe

Filesize
462KB

MD5
047852f254f727f3ece3da7d9e02a890

SHA1
fe2c5c5255fc718b2e1c12fe5595822087ea8e7e

SHA256
fb82418fc21bc10d4b1a1115adfbe16f4d65cb9935e72475e3ffc172f4701568

SHA512
fa6e11ad34666b9d0a54db57ad48e494e268a6be850c3421149021431bedc47a849a53d0f68c667c19739cf2afa06a40aabafff09722929d57e8cbe3661c7b4d

Download Submit