db911f95ce0d1262911e5c405ca40dcdc870974b8ef25d827909413ee6bdda66

Analysis

max time kernel
130s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db911f95ce0d1262911e5c405ca40dcdc870974b8ef25d827909413ee6bdda66.exe
Size

56KB
MD5

7d39c467a6d5b676dcdcfa54600c6583
SHA1

f37932038b1511011cd15e6555fe164828bf7b72
SHA256

db911f95ce0d1262911e5c405ca40dcdc870974b8ef25d827909413ee6bdda66
SHA512

ffef27a99af8a538ff65881ce2d4a2cfe994dd12111f75b8de068ed78644b567dd4d02a1103f752bbe29328756a6c9eb814939a7f1ac2f3626f0246ca72e6fd1
SSDEEP

1536:IV/AAJdi1zB3E1yshODwuPdB8I+Jr/Dt0:IVAADiv3E1yshOb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	db911f95ce0d1262911e5c405ca40dcdc870974b8ef25d827909413ee6bdda66.exe

Executes dropped EXE 1 IoCs

pid	Process
216	weyjba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 216	3304	db911f95ce0d1262911e5c405ca40dcdc870974b8ef25d827909413ee6bdda66.exe	89
PID 3304 wrote to memory of 216	3304	db911f95ce0d1262911e5c405ca40dcdc870974b8ef25d827909413ee6bdda66.exe	89
PID 3304 wrote to memory of 216	3304	db911f95ce0d1262911e5c405ca40dcdc870974b8ef25d827909413ee6bdda66.exe	89

C:\Users\Admin\AppData\Local\Temp\db911f95ce0d1262911e5c405ca40dcdc870974b8ef25d827909413ee6bdda66.exe
"C:\Users\Admin\AppData\Local\Temp\db911f95ce0d1262911e5c405ca40dcdc870974b8ef25d827909413ee6bdda66.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Local\Temp\weyjba.exe
  "C:\Users\Admin\AppData\Local\Temp\weyjba.exe"
  2⤵
  - Executes dropped EXE
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\weyjba.exe

Filesize
57KB

MD5
b42368600c8c4c4f6f999e8c20c9f3ec

SHA1
f89de517b002bb605dc9205b15d0354dd0cda360

SHA256
98d7866cfd55647297eee1b14fd231b4efd1ed6c285a5eab59e419a248d2dcd3

SHA512
176601a4af23ceacb8ad7913426418a262b3a0c4bdac3261e990f2c79a5f7ed77d8512c3d7194d12c9f7a7ff4e202f7ab3d0c1f91b9661e1d4e6549eb8675633

Download Submit
memory/216-19-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/216-25-0x00000000020C0000-0x00000000020C6000-memory.dmp

Filesize
24KB

Download
memory/3304-0-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/3304-1-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/3304-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download