fd387b82c2884d0ed58f5270db6bc558c75a80fdc5177e7d3e1abbeb1c76483c

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f46bc1ef2341e10331e1f3e26eb56cb1.exe
Size

100KB
MD5

f46bc1ef2341e10331e1f3e26eb56cb1
SHA1

6ccc158eb8f32ef4230ed9cefe900f6f45c454b8
SHA256

fd387b82c2884d0ed58f5270db6bc558c75a80fdc5177e7d3e1abbeb1c76483c
SHA512

66eb38a4d3959371ebffb72a74c3e9ed8d29496750d2ae2ee0e753913a4347d842c697118c6a8874c6f7584cf872da00baf1c0be4b88e1f27af24f523abd9e7b
SSDEEP

768:xQz7yVEhs9+4uR1bytOOtEvwDpjWfbZ7uyA36S7MpxRiWNa9mktJHlv/k2yO00:xj+VGMOtEvwDpjubwQEIiVmkxv/uS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	f46bc1ef2341e10331e1f3e26eb56cb1.exe

Executes dropped EXE 1 IoCs

pid	Process
3748	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 3748	2344	f46bc1ef2341e10331e1f3e26eb56cb1.exe	84
PID 2344 wrote to memory of 3748	2344	f46bc1ef2341e10331e1f3e26eb56cb1.exe	84
PID 2344 wrote to memory of 3748	2344	f46bc1ef2341e10331e1f3e26eb56cb1.exe	84

C:\Users\Admin\AppData\Local\Temp\f46bc1ef2341e10331e1f3e26eb56cb1.exe
"C:\Users\Admin\AppData\Local\Temp\f46bc1ef2341e10331e1f3e26eb56cb1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
100KB

MD5
034762477d1309815ec3f5f7e8001a51

SHA1
1d5bfab46c78013204e093843b3e35d6ddda4531

SHA256
048bdd67e4aba93ca8e5587dea3e633057927949886c38f0999e21b2a4b4698d

SHA512
783c8af9bc057e64aa14697a3653aa986dbe7f1a068a52f513b2df39c43dc6498d9f5bf3671e766e3240a534941359df48a3371041c5d8158e1be33366ccc66b

Download Submit
memory/2344-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2344-1-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/2344-3-0x0000000000760000-0x0000000000766000-memory.dmp

Filesize
24KB

Download
memory/2344-2-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/2344-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3748-19-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/3748-25-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/3748-26-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download