c055c136cd08854a5b8bcdf081ede5755aaf4d199b9486f260e89dd14f6d1450

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c67b82ef0d921174885b75aa32e8afcb.exe
Size

41KB
MD5

c67b82ef0d921174885b75aa32e8afcb
SHA1

e002bf92fed6c6a44bb20f8221620d1168d64d46
SHA256

c055c136cd08854a5b8bcdf081ede5755aaf4d199b9486f260e89dd14f6d1450
SHA512

683c9e6bbcaf82b0c72887228282e3d6e67e8328f224476655b0d5ed3503e700df89e8b2da85bbd291557e44ad7663c79ceee5b84f1a766fce0f3b719f17a5ce
SSDEEP

384:60VkMq01bJ3wtEwPS8HLEh+Jagz+3be+26aIIcVRYpetOOtEvwDpjqIGRmdHzOOy:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqh6/U

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c67b82ef0d921174885b75aa32e8afcb.exe

Executes dropped EXE 1 IoCs

pid	Process
4872	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 4872	4900	c67b82ef0d921174885b75aa32e8afcb.exe	99
PID 4900 wrote to memory of 4872	4900	c67b82ef0d921174885b75aa32e8afcb.exe	99
PID 4900 wrote to memory of 4872	4900	c67b82ef0d921174885b75aa32e8afcb.exe	99

C:\Users\Admin\AppData\Local\Temp\c67b82ef0d921174885b75aa32e8afcb.exe
"C:\Users\Admin\AppData\Local\Temp\c67b82ef0d921174885b75aa32e8afcb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
41KB

MD5
a13f73f23aa7c83b353eba9153a8b897

SHA1
584c34602d5a2b8ad075284b07e959964a9cfe12

SHA256
a92b8947adfc766e16c1ef4986698c65bfe9d040d958e562b1c35de96b3891a6

SHA512
29fd1634c4225c1732b699bd38d9b24403a1faf2edba7cdbdcfb76e4a9b829292c2ca6495a175b112fae755c52939202fb67618b591cdcb35cee23b33c5dcd69

Download Submit
memory/4872-17-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4872-20-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/4872-19-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/4872-27-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4900-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4900-1-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/4900-2-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/4900-3-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/4900-21-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download