241a1cc219699fa6a2b0264004f69b48309548ebcb8e593e13e685647e5c11c3

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5effafe2952a3d7eaca4ffdbbd7a016.exe
Size

341KB
MD5

d5effafe2952a3d7eaca4ffdbbd7a016
SHA1

5030e1682eb8c20280632365243975cadc0ed8f0
SHA256

241a1cc219699fa6a2b0264004f69b48309548ebcb8e593e13e685647e5c11c3
SHA512

c0f96f8198e42fd0c62a7f6a46e5724fe91e2b6149342998536cb6c016a817ae4ea202511f6c5e19f465d325447eb329d55dae20dc82f36afcc826a350596720
SSDEEP

6144:a1hlpD33tDkeJSLbii5bkgVuN+xSKV7Wkrsf7LsI51LWKOPUvKmKF8lM:shlZ33tDyXikbkgaISKVC1WMih8lM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	d5effafe2952a3d7eaca4ffdbbd7a016.exe

Executes dropped EXE 1 IoCs

pid	Process
1640	AA22271D-46E0-4C3A-8E73-6E72810C49D7.exe

Loads dropped DLL 1 IoCs

pid	Process
5028	d5effafe2952a3d7eaca4ffdbbd7a016.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 1640	5028	d5effafe2952a3d7eaca4ffdbbd7a016.exe	90
PID 5028 wrote to memory of 1640	5028	d5effafe2952a3d7eaca4ffdbbd7a016.exe	90
PID 5028 wrote to memory of 1640	5028	d5effafe2952a3d7eaca4ffdbbd7a016.exe	90
PID 5028 wrote to memory of 4540	5028	d5effafe2952a3d7eaca4ffdbbd7a016.exe	94
PID 5028 wrote to memory of 4540	5028	d5effafe2952a3d7eaca4ffdbbd7a016.exe	94
PID 5028 wrote to memory of 4540	5028	d5effafe2952a3d7eaca4ffdbbd7a016.exe	94

C:\Users\Admin\AppData\Local\Temp\d5effafe2952a3d7eaca4ffdbbd7a016.exe
"C:\Users\Admin\AppData\Local\Temp\d5effafe2952a3d7eaca4ffdbbd7a016.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5028
- C:\c2a7399b-bf58-49fc-8000-18cc5789bd51\AA22271D-46E0-4C3A-8E73-6E72810C49D7.exe
  "C:\c2a7399b-bf58-49fc-8000-18cc5789bd51\AA22271D-46E0-4C3A-8E73-6E72810C49D7.exe" -y -p82649C1C-4194-4D78-BF3D-79A48711A992
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" c:\c2a7399b-bf58-49fc-8000-18cc5789bd51\start.hta
  2⤵
  PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\c2a7399b-bf58-49fc-8000-18cc5789bd51\AA22271D-46E0-4C3A-8E73-6E72810C49D7.exe

Filesize
208KB

MD5
4700ebdd7ce3f9850134a8596df0577b

SHA1
c365de2d3f42a6ab0acfa97712f5c97e0700e811

SHA256
e3276562b5646b4a0473385bf7b78bb555dcc4b7618ec84351959b82c472ca0b

SHA512
dbe51066e3d4ca9f381a923d29c1a6b18c5f5cbc20464b3cde97d7915dfa5ed79ccac3b5675759f9f18e83241634c8755810d3286cb08b115d83cd3d992c43c0

Download Submit
\??\c:\c2a7399b-bf58-49fc-8000-18cc5789bd51\InstallerHelper.dll

Filesize
132KB

MD5
d48deea2cc6cbe80632e75a2865be960

SHA1
7f565e75f767d9396b51b3c31980a3dd6417eada

SHA256
88599cd62b71784366590e01e5c7c93342b49857675b38f93c53c7a18aef00c2

SHA512
73042e11fd6e5f1eaa4eb433617d2bc46e1370dc7c22c45a6244426d2c29fc752f09976662835022617acee5a45c606742be096ee2580937c5e0a371f7f87177

Download Submit
\??\c:\c2a7399b-bf58-49fc-8000-18cc5789bd51\loader.gif

Filesize
1KB

MD5
e88ebd85dd56110ac6ea93fe0922988e

SHA1
684a31d864d33ff736234c41ac4e8d2c7f90d5ae

SHA256
379d1b0948f8e06366e7bcd197c848c0cc783787792f2224f98c16b974d920eb

SHA512
211b0760c9a887fc13c479617daeb6d5b6ee0ccd06c214967abd3e1f14204f72e34a6dd5eb778a9fc6ac7fc8bd63bdef80b347abab97becda16924cb3e164dc7

Download Submit
\??\c:\c2a7399b-bf58-49fc-8000-18cc5789bd51\start.hta

Filesize
1KB

MD5
db4ada697fa7a0e215281533d52578e9

SHA1
fb755ea8371edf5065dc53e21eb413603f9eba7f

SHA256
f949fd6ca734830572128b4348dfd039419140c7ef501d80773f71ca3f0ed78c

SHA512
9ba1d2658785dd3c88b4399132f8330dc58872235e19ca9854b0e453d8cc7a58de0c8be84da376a72b5851073f531c95b2c6afa84f43053561ca8e6751d6e2f3

Download Submit