417f5fc6e480a496e750ab6b496e824ea2b7a72b86fa9f5a13c605a811468b9d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c493af444fea7901083153bccac57bbe.exe
Size

14KB
MD5

c493af444fea7901083153bccac57bbe
SHA1

b21bc271d2cb7161d9fb86b1b9ee4c096f511ea6
SHA256

417f5fc6e480a496e750ab6b496e824ea2b7a72b86fa9f5a13c605a811468b9d
SHA512

e131d2828c5f84fb595241f572a689847b6e9a976621160ac2ac530d7d298714bc93321c6a0f94cfecb83c36f762da824b8ab36cbd3020bad8ffdd0bd234b2fb
SSDEEP

384:35kct3Dha/6rjvYYm6V7qiEfwp9yhXBmvu+SAqHjK:36ct3VFjV7yhXBmvu+s

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	c493af444fea7901083153bccac57bbe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\multimediaControls.chl\CLSID	c493af444fea7901083153bccac57bbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\multimediaControls.chl	c493af444fea7901083153bccac57bbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\multimediaControls.chl\CLSID\ = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"	c493af444fea7901083153bccac57bbe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 2248	1380	c493af444fea7901083153bccac57bbe.exe	104
PID 1380 wrote to memory of 2248	1380	c493af444fea7901083153bccac57bbe.exe	104
PID 1380 wrote to memory of 2248	1380	c493af444fea7901083153bccac57bbe.exe	104

C:\Users\Admin\AppData\Local\Temp\c493af444fea7901083153bccac57bbe.exe
"C:\Users\Admin\AppData\Local\Temp\c493af444fea7901083153bccac57bbe.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awer0.bat" "
  2⤵
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\awer0.bat

Filesize
274B

MD5
798df000953e98019e82ad714e466263

SHA1
a38a355d05947fe7baa3bfd34d26a2cf4770374a

SHA256
f359f26e10e2d04ade7cf2f1426018bcb29f5cd3ea0942281a933e4bd7ae6881

SHA512
8ea458f2a17b8501cf4a830530589028984d3cfda1500f5dca9d26c849061546ebb3b1f50b579473e5f0541d9c4b01edb0928407e8ad13f478632e4560870a8c

Download Submit