53a7a87985d3f7ccbdf9a25631ea2c29f13cc4d15b04514180effca9e6dad5c5

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c70318b45d2e083edc1208cb6609faa9.exe
Size

210KB
MD5

c70318b45d2e083edc1208cb6609faa9
SHA1

9428ea5422b91e70a5dcb2be330ab6c0864ca3cd
SHA256

53a7a87985d3f7ccbdf9a25631ea2c29f13cc4d15b04514180effca9e6dad5c5
SHA512

a378ec0638105d5c0c27284ed75a89768649359cf0119b20c26969e51786725cafb8c28cdc0fc36f788da835f4c9bdb27023d9ddfc2c40c47b43a7ebfeeba471
SSDEEP

3072:E1dlKwgj23+Oz05YoNozCl9v9svvb9rvfnHVggs0tTcZ/S+PLURC08w:E1dlZro5yCTSvz9rvf15LTkfPLURC0t

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	c70318b45d2e083edc1208cb6609faa9.exe

Executes dropped EXE 1 IoCs

pid	Process
5060	ok1.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\4.jpg	c70318b45d2e083edc1208cb6609faa9.exe
File opened for modification	C:\Windows\28íÚç	c70318b45d2e083edc1208cb6609faa9.exe
File created	C:\Windows\ok1.exe	c70318b45d2e083edc1208cb6609faa9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4964	5060	WerFault.exe	89

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 5060	2004	c70318b45d2e083edc1208cb6609faa9.exe	89
PID 2004 wrote to memory of 5060	2004	c70318b45d2e083edc1208cb6609faa9.exe	89
PID 2004 wrote to memory of 5060	2004	c70318b45d2e083edc1208cb6609faa9.exe	89

C:\Users\Admin\AppData\Local\Temp\c70318b45d2e083edc1208cb6609faa9.exe
"C:\Users\Admin\AppData\Local\Temp\c70318b45d2e083edc1208cb6609faa9.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2004
- C:\WINDOWS\ok1.exe
  "C:\WINDOWS\ok1.exe"
  2⤵
  - Executes dropped EXE
  PID:5060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 264
    3⤵
    - Program crash
    PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5060 -ip 5060
1⤵
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
201B

MD5
49ee440e54cdbad4ad11f8787de88f3b

SHA1
e8c534bbf50c180ad015c4ca835de69edbadb3e6

SHA256
8ed322ce55f240f5d1fc1801bb17fd0454268487819c9032fb814bf729da4db3

SHA512
5c1264549eaae4732509f0b0591cea4512535d0fe4f06a4d39d40ef774d02445997f34282eb1f92b8660740c291744ebcfe335409739acd3ebca0fa61fdbe944

Download Submit
C:\Windows\ok1.exe

Filesize
56KB

MD5
606552e17b15862aff4cb1ef7ad3cade

SHA1
5fa6f9a02729d0b310ff5756604e4dd58eea6b10

SHA256
e75e60ef8e839106429e2e41d7877dfabede5878f7686977e429794fdacb240b

SHA512
8e6c49cef60de199ebdb09ec5ca59f40d5d3c93217a2f5937b522e5522b68e4c6ec2fb72c17fe090e4de59bf35c59bf7c767f045058466ea7fd0beb139316a35

Download Submit
memory/5060-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5060-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download