8fd87bd55cdb46b5bee7e431fd7fe7da152a2ec0d511179afdab8fcd369bd036

Analysis

max time kernel
158s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3ef9cb45f5cc4b446a43056ec73a48b.exe
Size

3.4MB
MD5

c3ef9cb45f5cc4b446a43056ec73a48b
SHA1

f9e774d51a2e869da2d153609b4fc3c2497dbc63
SHA256

8fd87bd55cdb46b5bee7e431fd7fe7da152a2ec0d511179afdab8fcd369bd036
SHA512

cb60efb057bae4764c3fb3ee3ae4da1ed95a72155dc7f9f28e7ded64e70a6643e33f0f8061fb69fbb7d8a18c869df76f8a9af692e954121fb9d7e75df9d19e31
SSDEEP

49152:OsmJOgW/G5HEJDI3pzZVKItiZlermD3jz/Tygr6tKyQtzyVhDpyLajBHj4f6gZBs:OsiWgn3XsI65//JG+CPbRjrgZQ0c

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 9 IoCs

flow	pid	Process
50	4132	cmd.exe
51	4132	cmd.exe
54	4132	cmd.exe
55	4132	cmd.exe
56	4132	cmd.exe
64	4132	cmd.exe
65	4132	cmd.exe
116	4132	cmd.exe
119	4132	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c3ef9cb45f5cc4b446a43056ec73a48b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	8vIzgms1D.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8vIzgms1D.exe	c3ef9cb45f5cc4b446a43056ec73a48b.exe

Executes dropped EXE 2 IoCs

pid	Process
2424	8vIzgms1D.exe
3296	8vIzgms1D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
3296	8vIzgms1D.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe
4132	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2856	2076	c3ef9cb45f5cc4b446a43056ec73a48b.exe	100
PID 2076 wrote to memory of 2856	2076	c3ef9cb45f5cc4b446a43056ec73a48b.exe	100
PID 2076 wrote to memory of 2856	2076	c3ef9cb45f5cc4b446a43056ec73a48b.exe	100
PID 2856 wrote to memory of 2424	2856	c3ef9cb45f5cc4b446a43056ec73a48b.exe	104
PID 2856 wrote to memory of 2424	2856	c3ef9cb45f5cc4b446a43056ec73a48b.exe	104
PID 2856 wrote to memory of 2424	2856	c3ef9cb45f5cc4b446a43056ec73a48b.exe	104
PID 2424 wrote to memory of 3296	2424	8vIzgms1D.exe	105
PID 2424 wrote to memory of 3296	2424	8vIzgms1D.exe	105
PID 2424 wrote to memory of 3296	2424	8vIzgms1D.exe	105
PID 3296 wrote to memory of 4132	3296	8vIzgms1D.exe	107
PID 3296 wrote to memory of 4132	3296	8vIzgms1D.exe	107
PID 3296 wrote to memory of 4132	3296	8vIzgms1D.exe	107
PID 3296 wrote to memory of 4132	3296	8vIzgms1D.exe	107
PID 3296 wrote to memory of 4132	3296	8vIzgms1D.exe	107

C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe
"C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe
  "C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8vIzgms1D.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8vIzgms1D.exe" "C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8vIzgms1D.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8vIzgms1D.exe" "C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8vIzgms1D.exe

Filesize
3.4MB

MD5
a5c336e12d7db3edf2330bdf21b57e55

SHA1
86f6fe262a792520003a3a60bc9cd0cd957200fd

SHA256
bc24aba31b34f328fe080d49d6d5f598efedf44ef1b3f9c4dbde1d5708a24ef3

SHA512
cff4352eccc8076212b6505e020caf544ebc8adbc89941dfa18688c7f23d54836258e5edce7fdc3848c747b23b765e75a30372286b0bf39c3147e45476a74c96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8vIzgms1D.exe

Filesize
1.3MB

MD5
a5d71a5db6cb25481bdeed3d0bc50040

SHA1
076c84fbe70d637406389ea15bd760fd1aae549b

SHA256
07b4759ec2a2a759e457d742cc449f16148cdaa273fa0a22fcb66a02b5fb05cf

SHA512
607625da8b9868c093da74f6546d8924a534bed574a1f680e928c89ca04a57aa93843943a9947e2d4dc8feb359cdb8b1fbc401687463f8efc02f7b2ccb7c8544

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8vIzgms1D.exe

Filesize
872KB

MD5
170bdb7a5025cd6ff96c582c4b14798c

SHA1
8b92f6cc67c4e289ead3f2067cc2cae50ae70630

SHA256
3bd9bdebee39d311dde3eefedfcdf5ccd40d6ac8c7ebbcf48a91e030bfe2be6e

SHA512
1caaf8317310d015a421ca0af99fc571d33694ad229e80366e10027c392d42f3372b9c695c269fede11629b9f11b302f5873ad6ad10c04cfed5500bd49e24b81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8vIzgms1D.exe

Filesize
657KB

MD5
7e9ccf2f3c150e6f5653c2407878a6f7

SHA1
fb825e3a393d626162903d72bea797fdd5efc714

SHA256
f7ca725d4dc917c8971efb482f4462975d0b35dfd606d2f98bff35d75a962b99

SHA512
3e8a6e81d41dd452b9a04e18c70b06d94369e097ca419a8fb1212aa0335d4304b4229b101417c8a1a0e65284dc07e19510f47dcc650434031dceeec197f65ad2

Download Submit
memory/2076-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2076-2-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2424-19-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2856-1-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2856-3-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2856-4-0x0000000002A80000-0x0000000002B1E000-memory.dmp

Filesize
632KB

Download
memory/2856-20-0x0000000002A80000-0x0000000002B1E000-memory.dmp

Filesize
632KB

Download
memory/3296-23-0x0000000000A50000-0x0000000000AEE000-memory.dmp

Filesize
632KB

Download
memory/3296-39-0x0000000000A50000-0x0000000000AEE000-memory.dmp

Filesize
632KB

Download
memory/3296-24-0x0000000077A12000-0x0000000077A13000-memory.dmp

Filesize
4KB

Download
memory/3296-25-0x0000000077A12000-0x0000000077A13000-memory.dmp

Filesize
4KB

Download
memory/3296-26-0x0000000077A12000-0x0000000077A13000-memory.dmp

Filesize
4KB

Download
memory/3296-27-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/3296-28-0x0000000077A12000-0x0000000077A13000-memory.dmp

Filesize
4KB

Download
memory/3296-29-0x0000000077A12000-0x0000000077A13000-memory.dmp

Filesize
4KB

Download
memory/3296-30-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3296-31-0x0000000077A12000-0x0000000077A13000-memory.dmp

Filesize
4KB

Download
memory/3296-32-0x0000000077A12000-0x0000000077A13000-memory.dmp

Filesize
4KB

Download
memory/3296-22-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3296-37-0x0000000000A50000-0x0000000000AEE000-memory.dmp

Filesize
632KB

Download
memory/4132-40-0x0000000077A12000-0x0000000077A13000-memory.dmp

Filesize
4KB

Download
memory/4132-51-0x0000000002680000-0x000000000271E000-memory.dmp

Filesize
632KB

Download
memory/4132-35-0x0000000001380000-0x0000000001419000-memory.dmp

Filesize
612KB

Download
memory/4132-42-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4132-41-0x0000000077A12000-0x0000000077A13000-memory.dmp

Filesize
4KB

Download
memory/4132-43-0x0000000077A12000-0x0000000077A13000-memory.dmp

Filesize
4KB

Download
memory/4132-44-0x0000000077A12000-0x0000000077A13000-memory.dmp

Filesize
4KB

Download
memory/4132-45-0x0000000077A12000-0x0000000077A13000-memory.dmp

Filesize
4KB

Download
memory/4132-46-0x0000000077A12000-0x0000000077A13000-memory.dmp

Filesize
4KB

Download
memory/4132-47-0x0000000077A12000-0x0000000077A13000-memory.dmp

Filesize
4KB

Download
memory/4132-48-0x0000000002680000-0x000000000271E000-memory.dmp

Filesize
632KB

Download
memory/4132-49-0x0000000002680000-0x000000000271E000-memory.dmp

Filesize
632KB

Download
memory/4132-50-0x0000000006B60000-0x0000000006BA9000-memory.dmp

Filesize
292KB

Download
memory/4132-38-0x0000000002680000-0x000000000271E000-memory.dmp

Filesize
632KB

Download
memory/4132-52-0x0000000006B30000-0x0000000006B51000-memory.dmp

Filesize
132KB

Download
memory/4132-53-0x0000000006BB0000-0x0000000006C2E000-memory.dmp

Filesize
504KB

Download
memory/4132-54-0x00000000097B0000-0x000000000989A000-memory.dmp

Filesize
936KB

Download
memory/4132-55-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4132-56-0x00000000096F0000-0x00000000097AD000-memory.dmp

Filesize
756KB

Download
memory/4132-57-0x0000000009B20000-0x0000000009D2B000-memory.dmp

Filesize
2.0MB

Download
memory/4132-58-0x0000000009290000-0x0000000009337000-memory.dmp

Filesize
668KB

Download
memory/4132-59-0x0000000002680000-0x000000000271E000-memory.dmp

Filesize
632KB

Download
memory/4132-60-0x0000000009350000-0x00000000096E4000-memory.dmp

Filesize
3.6MB

Download
memory/4132-61-0x0000000006B60000-0x0000000006BA9000-memory.dmp

Filesize
292KB

Download
memory/4132-62-0x00000000096F0000-0x00000000097AD000-memory.dmp

Filesize
756KB

Download
memory/4132-63-0x0000000009B20000-0x0000000009D2B000-memory.dmp

Filesize
2.0MB

Download
memory/4132-64-0x0000000009290000-0x0000000009337000-memory.dmp

Filesize
668KB

Download
memory/4132-65-0x0000000009350000-0x00000000096E4000-memory.dmp

Filesize
3.6MB

Download