93542d6e0cb546ade0a4fb5ccedcc1d6dcb3aaba9b44183e692b76fc363cc15f

Analysis

max time kernel
152s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2e1f3e3fa536facf8404a621607558c.exe
Size

14.8MB
MD5

c2e1f3e3fa536facf8404a621607558c
SHA1

a6dfe475decd18fe22daa0d17d5a94f82453cfff
SHA256

93542d6e0cb546ade0a4fb5ccedcc1d6dcb3aaba9b44183e692b76fc363cc15f
SHA512

2b332fb30474c0cc7c54586dbc14cd35d3655ed3c2fb0db630f7edef8ab328d1c7037a079d115eec35a2b8e474a7f2e18b92638ecd951acedafa6a5b755c0ab7
SSDEEP

393216:nefNC/zPdHvWwjof9H+xdQlG6tSuQL0c6JkSBmNBStVKFOM:ecdHzoF8dQc6tSLE9mvvFOM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c2e1f3e3fa536facf8404a621607558c.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BTC.exe	freebitcoin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BTC.exe	freebitcoin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_240662937	c2e1f3e3fa536facf8404a621607558c.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Eagle.Proxy.Scraper.exe	c2e1f3e3fa536facf8404a621607558c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Eagle.Proxy.Scraper.exe	c2e1f3e3fa536facf8404a621607558c.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe	c2e1f3e3fa536facf8404a621607558c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe	c2e1f3e3fa536facf8404a621607558c.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_240667109	freebitcoin.exe

Executes dropped EXE 1 IoCs

pid	Process
4940	freebitcoin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 4940	1620	c2e1f3e3fa536facf8404a621607558c.exe	102
PID 1620 wrote to memory of 4940	1620	c2e1f3e3fa536facf8404a621607558c.exe	102
PID 1620 wrote to memory of 4940	1620	c2e1f3e3fa536facf8404a621607558c.exe	102

C:\Users\Admin\AppData\Local\Temp\c2e1f3e3fa536facf8404a621607558c.exe
"C:\Users\Admin\AppData\Local\Temp\c2e1f3e3fa536facf8404a621607558c.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4476 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe

Filesize
1.1MB

MD5
874f7c53d34e294636f03b159d3a89ce

SHA1
d38624f87b3af12e241eb9fa39cfd2d03ffe639c

SHA256
39d1d39c132546b354280594301b5f625043db294a1152d2e8ff4ff5dfb87d9d

SHA512
cbdc766d71e89643b3ed4d82b0cf00bde5eb227140240e80e55489b4cd0e7aecf3024a8c9a6b601e76fded45d1408120b05d5b65837f2ce92c25c7a2e18aff7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe

Filesize
128KB

MD5
2830e7176d4dfbb273f3880a124d06d3

SHA1
d104872d86826266caa82aef068da02cff2728de

SHA256
aac6fcf3006aa1aee2e4f65305a92ce856e659e3653e5c4bafce5e16aee3b9bf

SHA512
f457064da0556e6c37ea27ce389b326e9862165d29e94c1eaf4b69e3e8e6185769ea20de2ca9df68546d98138d271594c88cd7a83ec0178a4ab278bac7395cb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe

Filesize
6.7MB

MD5
606f33aa93b15e0bb336f5e4779eb843

SHA1
d607a14e22adf2e868eab8974336d62fe0c8a163

SHA256
723a1fcf15292de7f3b46668472e90a6741876e5bce3deb9ce1211257aa8cb5d

SHA512
078c16e428b6737a72c36db3f9ba8fee1e7d2f6602bbd35aa8cdfe5d674dacde75e8a74580f5022d560e95e7049db1c885d1c002419c39536c659260d762f769

Download Submit