ad0d8c4b22e9ae3fcb83dfc0cd8113c9013e6945924bf6aeb0e9bb6d797b43cb

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4b4bf7d9089788bb7f19f7a8e527d4f.exe
Size

3.4MB
MD5

c4b4bf7d9089788bb7f19f7a8e527d4f
SHA1

182cf7e4e5d011523a891286fab19d747f098da0
SHA256

ad0d8c4b22e9ae3fcb83dfc0cd8113c9013e6945924bf6aeb0e9bb6d797b43cb
SHA512

90443c5cdd8b4951aa6ded40acd163c4ab8beee5ea23e9ac8e9d683aea7520e4c6e00bf52ea984fa5d3e686f1aa0b7d06df3bd6880bc5511bdcaa1515eafcc26
SSDEEP

98304:JYy2g2eODGhQekoXmduwGrJU58o9eHmkqh+y:GgQDk2Si58o9eTqh+

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
50	212	cmd.exe
51	212	cmd.exe
54	212	cmd.exe
75	212	cmd.exe
76	212	cmd.exe
103	212	cmd.exe
104	212	cmd.exe
155	212	cmd.exe
180	212	cmd.exe
182	212	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c4b4bf7d9089788bb7f19f7a8e527d4f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	6eTvYbMXEU.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eTvYbMXEU.exe	c4b4bf7d9089788bb7f19f7a8e527d4f.exe

Executes dropped EXE 2 IoCs

pid	Process
1888	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
1336	6eTvYbMXEU.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe
212	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 4440	2656	c4b4bf7d9089788bb7f19f7a8e527d4f.exe	87
PID 2656 wrote to memory of 4440	2656	c4b4bf7d9089788bb7f19f7a8e527d4f.exe	87
PID 2656 wrote to memory of 4440	2656	c4b4bf7d9089788bb7f19f7a8e527d4f.exe	87
PID 4440 wrote to memory of 1888	4440	c4b4bf7d9089788bb7f19f7a8e527d4f.exe	97
PID 4440 wrote to memory of 1888	4440	c4b4bf7d9089788bb7f19f7a8e527d4f.exe	97
PID 4440 wrote to memory of 1888	4440	c4b4bf7d9089788bb7f19f7a8e527d4f.exe	97
PID 1888 wrote to memory of 1336	1888	6eTvYbMXEU.exe	98
PID 1888 wrote to memory of 1336	1888	6eTvYbMXEU.exe	98
PID 1888 wrote to memory of 1336	1888	6eTvYbMXEU.exe	98
PID 1336 wrote to memory of 212	1336	6eTvYbMXEU.exe	102
PID 1336 wrote to memory of 212	1336	6eTvYbMXEU.exe	102
PID 1336 wrote to memory of 212	1336	6eTvYbMXEU.exe	102
PID 1336 wrote to memory of 212	1336	6eTvYbMXEU.exe	102
PID 1336 wrote to memory of 212	1336	6eTvYbMXEU.exe	102

C:\Users\Admin\AppData\Local\Temp\c4b4bf7d9089788bb7f19f7a8e527d4f.exe
"C:\Users\Admin\AppData\Local\Temp\c4b4bf7d9089788bb7f19f7a8e527d4f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\c4b4bf7d9089788bb7f19f7a8e527d4f.exe
  "C:\Users\Admin\AppData\Local\Temp\c4b4bf7d9089788bb7f19f7a8e527d4f.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eTvYbMXEU.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eTvYbMXEU.exe" "C:\Users\Admin\AppData\Local\Temp\c4b4bf7d9089788bb7f19f7a8e527d4f.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eTvYbMXEU.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eTvYbMXEU.exe" "C:\Users\Admin\AppData\Local\Temp\c4b4bf7d9089788bb7f19f7a8e527d4f.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eTvYbMXEU.exe

Filesize
462KB

MD5
0091efcfd3614b21c29d8ca90d2a5fc9

SHA1
3ed9b947e4eb83f15ff67e3f30ee18b3e6d6cc9c

SHA256
8fc2fa220a96c7e4cea09b9e1afefc28cf987adfa5d232450fd54f5bb7a4c90e

SHA512
239dec67fce4e1db54365220c919f105e7d57777ed9a10b2e213983daee1d577abf6498f31608b3b528f3a54704782bc36635e5057789e326e683302de0bd2b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eTvYbMXEU.exe

Filesize
269KB

MD5
72b54f11cd05fcb470f092018908a2ab

SHA1
ad265a786819ed564d3c17f8da0e345df8b98007

SHA256
f360310572ae10f115909113cb6edb3eeb01a279608f5bc1ea5ed10e842a3205

SHA512
6a7def0070651088a0384a861baa0ee49b745f679826e06136701c02c8abc81af6b5961c9d112fc1c0e70286a7b08e77b0d6abf5d553d1722ffa76b0727d5253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eTvYbMXEU.exe

Filesize
1.3MB

MD5
da192d459dafa041938b1036eda032d3

SHA1
51acc7f4699dbadcd91dec36b36366d42d7a6e09

SHA256
efedf3aa88bcc338634d210187f6df88b01b1d376928f0d064304492b8da1122

SHA512
fc0e7f61f49f85a990ae561e9cb9570e1ce02c358a50a57a3ccd61927f12d6343519a787f7705e52b770274221b355143dbed75e183279c8c853b75516476387

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eTvYbMXEU.exe

Filesize
630KB

MD5
81733bdaa5b8700c79f972566803fce5

SHA1
33aacd6686ebc8aea211baa6da2f0a69c1aabd49

SHA256
dbce2c08fd1b9c5956cb4a5f82ce7d00cf238f017291508664032787068fcb82

SHA512
0d1ebd3a1dcf1f1044d7e16bee394f7087328ff673b4e2c91507ae4f1ad96274a985243113e177c4e868e2f5b37fcfea4c5d353e7c3c3eee9a955cdf87692286

Download Submit
memory/212-33-0x00000000020C0000-0x000000000215E000-memory.dmp

Filesize
632KB

Download
memory/212-35-0x0000000004F30000-0x0000000004F79000-memory.dmp

Filesize
292KB

Download
memory/212-48-0x0000000007510000-0x000000000771B000-memory.dmp

Filesize
2.0MB

Download
memory/212-47-0x0000000006D50000-0x0000000006E0D000-memory.dmp

Filesize
756KB

Download
memory/212-50-0x0000000006EF0000-0x0000000007284000-memory.dmp

Filesize
3.6MB

Download
memory/212-46-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

Filesize
4KB

Download
memory/212-41-0x0000000007510000-0x000000000771B000-memory.dmp

Filesize
2.0MB

Download
memory/212-45-0x00000000020C0000-0x000000000215E000-memory.dmp

Filesize
632KB

Download
memory/212-42-0x0000000007360000-0x0000000007407000-memory.dmp

Filesize
668KB

Download
memory/212-39-0x0000000006D50000-0x0000000006E0D000-memory.dmp

Filesize
756KB

Download
memory/212-40-0x00000000020C0000-0x000000000215E000-memory.dmp

Filesize
632KB

Download
memory/212-38-0x0000000006E10000-0x0000000006E8E000-memory.dmp

Filesize
504KB

Download
memory/212-37-0x0000000005E00000-0x0000000005EEA000-memory.dmp

Filesize
936KB

Download
memory/212-22-0x0000000001A60000-0x0000000001AF9000-memory.dmp

Filesize
612KB

Download
memory/212-36-0x0000000003C40000-0x0000000003C61000-memory.dmp

Filesize
132KB

Download
memory/212-49-0x0000000007360000-0x0000000007407000-memory.dmp

Filesize
668KB

Download
memory/212-25-0x0000000001A60000-0x0000000001A7B000-memory.dmp

Filesize
108KB

Download
memory/212-27-0x00000000020C0000-0x000000000215E000-memory.dmp

Filesize
632KB

Download
memory/212-44-0x0000000001A60000-0x0000000001A7B000-memory.dmp

Filesize
108KB

Download
memory/212-29-0x0000000077DA2000-0x0000000077DA3000-memory.dmp

Filesize
4KB

Download
memory/212-30-0x0000000077DA2000-0x0000000077DA3000-memory.dmp

Filesize
4KB

Download
memory/212-31-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

Filesize
4KB

Download
memory/212-32-0x0000000077DA2000-0x0000000077DA3000-memory.dmp

Filesize
4KB

Download
memory/212-43-0x0000000006EF0000-0x0000000007284000-memory.dmp

Filesize
3.6MB

Download
memory/212-34-0x00000000020C0000-0x000000000215E000-memory.dmp

Filesize
632KB

Download
memory/1336-23-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1336-24-0x0000000000A50000-0x0000000000AEE000-memory.dmp

Filesize
632KB

Download
memory/1336-21-0x0000000077DA2000-0x0000000077DA3000-memory.dmp

Filesize
4KB

Download
memory/1336-20-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/1336-19-0x0000000077DA2000-0x0000000077DA3000-memory.dmp

Filesize
4KB

Download
memory/1336-18-0x0000000077DA2000-0x0000000077DA3000-memory.dmp

Filesize
4KB

Download
memory/1336-17-0x0000000000A50000-0x0000000000AEE000-memory.dmp

Filesize
632KB

Download
memory/1336-15-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1888-26-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1888-12-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2656-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2656-16-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4440-13-0x0000000000A50000-0x0000000000AEE000-memory.dmp

Filesize
632KB

Download
memory/4440-11-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4440-2-0x0000000000A50000-0x0000000000AEE000-memory.dmp

Filesize
632KB

Download
memory/4440-1-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download