7df141c4d1708f56f8a180cfd8d5262e8d80cb615a675a2e38484d33132aba24

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de2d7679a051477e924679be2924f06e.exe
Size

910KB
MD5

de2d7679a051477e924679be2924f06e
SHA1

26f7fdd78a87bfd861858f63e1d3c886ed5c3842
SHA256

7df141c4d1708f56f8a180cfd8d5262e8d80cb615a675a2e38484d33132aba24
SHA512

356f633f8f6306f73a3b2b641076bc7be2a2ce7918b133da70b94d7e8dce0543550636e75a058ad1f2bd5b9f0119ec4f103243911a4b2c7c424d94eb28692c5c
SSDEEP

12288:4pGcy/YvMQolHdZVPXFpjgW/g3uECS2rXWDAwdCOd7Ray8L52pZcRVOL4:cNVMQolHFN+ggeY2Xzwd5wHEZoO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	de2d7679a051477e924679be2924f06e.exe

Deletes itself 1 IoCs

pid	Process
3568	tempfile_238574.exe

Executes dropped EXE 1 IoCs

pid	Process
3568	tempfile_238574.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 3568	2088	de2d7679a051477e924679be2924f06e.exe	97
PID 2088 wrote to memory of 3568	2088	de2d7679a051477e924679be2924f06e.exe	97
PID 2088 wrote to memory of 3568	2088	de2d7679a051477e924679be2924f06e.exe	97

C:\Users\Admin\AppData\Local\Temp\de2d7679a051477e924679be2924f06e.exe
"C:\Users\Admin\AppData\Local\Temp\de2d7679a051477e924679be2924f06e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\tempfile_238574.exe
  "C:\Users\Admin\AppData\Local\Temp\tempfile_238574.exe" de2d7679a051477e924679be2924f06e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tempfile_238574.exe

Filesize
365KB

MD5
debb3cf902e7822c0cd144dbd09239c7

SHA1
6cf5e78ac8507c9f3271cfeb002d1864774bbc72

SHA256
c566917818761732431714ddd3b2cdea1e35ecc3cdb4ea52a057c977925643e8

SHA512
52cda57b4d2e83f06f685af8a7250b3cf03e86c4bf2d3a25516c9060eb27eb454bb24ea9b7ec3caee75aa18775fa7adbec2edd8ef0a205eb74f534180266698c

Download Submit
memory/2088-0-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2088-9-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2088-11-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3568-10-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/3568-12-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download