092f0e970f4830a8b5b2705bf572c478993f3c4a974accd71a3b21d64559ae1a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3067d007b70614dccb5663d8febae43.exe
Size

43KB
MD5

a3067d007b70614dccb5663d8febae43
SHA1

78be8cf5ff73b12021d6d93f90603a377a5178b3
SHA256

092f0e970f4830a8b5b2705bf572c478993f3c4a974accd71a3b21d64559ae1a
SHA512

29183b0eda0c8ddaf610ca6bcd4f72b11941cd9a491d1f37de0395936871a037ddaeb41adfbc89e08e1771923fc97bfa227ad0b8b9b6b3d39863593cc67ca179
SSDEEP

768:bxNQIE0eBhkL2Fo1CCwgfjOg1tsJ6zeen754XcwxbFp1Rr:bxNrC7kYo1Fxf3s05rwxbF79

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	a3067d007b70614dccb5663d8febae43.exe

Executes dropped EXE 1 IoCs

pid	Process
3892	pissa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 3892	5028	a3067d007b70614dccb5663d8febae43.exe	89
PID 5028 wrote to memory of 3892	5028	a3067d007b70614dccb5663d8febae43.exe	89
PID 5028 wrote to memory of 3892	5028	a3067d007b70614dccb5663d8febae43.exe	89

C:\Users\Admin\AppData\Local\Temp\a3067d007b70614dccb5663d8febae43.exe
"C:\Users\Admin\AppData\Local\Temp\a3067d007b70614dccb5663d8febae43.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\pissa.exe
  "C:\Users\Admin\AppData\Local\Temp\pissa.exe"
  2⤵
  - Executes dropped EXE
  PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pissa.exe

Filesize
43KB

MD5
3073de13c05cc17d50b7b72778ac9d00

SHA1
dbd5cdfd7804c7036d9255c5eb4f53913fdda9f8

SHA256
e4297168186e79ae7cd2dffaec834165b1d24a3206e8c1c00cec4e0fece004df

SHA512
de314c8a2c0ef33de54ab8bfb7e858e71866fe16cbe6e7c06be1127d26af717b35690b685f82fb1a7d9766ee7b0cca18ca3c6ad2ba0a5c17f72ad77fe253e742

Download Submit
memory/3892-17-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download
memory/3892-23-0x00000000020A0000-0x00000000020A6000-memory.dmp

Filesize
24KB

Download
memory/5028-0-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/5028-1-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/5028-2-0x00000000023C0000-0x00000000023C6000-memory.dmp

Filesize
24KB

Download