7c22f873e24caebf114e6978608f6541c9043d03574c042ca71005a528008547

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c22f873e24caebf114e6978608f6541c9043d03574c042ca71005a528008547.exe
Size

39KB
MD5

6723d61889dd3136b672f731cb106e03
SHA1

e45157145bff3b0d8c1d550bb66cf4415468160f
SHA256

7c22f873e24caebf114e6978608f6541c9043d03574c042ca71005a528008547
SHA512

74ca898e5fd32f39061c28f74dc7a9848d88cc27886ce6bed300b058fcc3678158863575969b5b146dbf49b03039d215bac15d34a395acc7700a22775ea1bc2a
SSDEEP

384:kkju1dbvG8Qqrxiw39A9TMi8WXj6qPv1r8SleyKzGb74g3Lc23c51cmmbk2vWB3b:hIC+ZGjnP9VKzO3H3c5fmbrOBL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	7c22f873e24caebf114e6978608f6541c9043d03574c042ca71005a528008547.exe

Executes dropped EXE 1 IoCs

pid	Process
4648	pdfview_update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 4648	1904	7c22f873e24caebf114e6978608f6541c9043d03574c042ca71005a528008547.exe	93
PID 1904 wrote to memory of 4648	1904	7c22f873e24caebf114e6978608f6541c9043d03574c042ca71005a528008547.exe	93
PID 1904 wrote to memory of 4648	1904	7c22f873e24caebf114e6978608f6541c9043d03574c042ca71005a528008547.exe	93

C:\Users\Admin\AppData\Local\Temp\7c22f873e24caebf114e6978608f6541c9043d03574c042ca71005a528008547.exe
"C:\Users\Admin\AppData\Local\Temp\7c22f873e24caebf114e6978608f6541c9043d03574c042ca71005a528008547.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\pdfview_update.exe
  "C:\Users\Admin\AppData\Local\Temp\pdfview_update.exe"
  2⤵
  - Executes dropped EXE
  PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OCSF5S5B\al2602[1].ssa

Filesize
5B

MD5
fda44910deb1a460be4ac5d56d61d837

SHA1
f6d0c643351580307b2eaa6a7560e76965496bc7

SHA256
933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9

SHA512
57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfview_update.exe

Filesize
39KB

MD5
16390241e865268d0f2af9ec65ff8bca

SHA1
ac07bb67bdbc95a19c54cd0281951754bd5bd66d

SHA256
ed74a6f7bb9b0363cf1e9053bb32494257ad2db5f7f5a485ceeb737dea38952b

SHA512
8ae5373a00525ab5a4b2d89029a73dd1ee299c96a5c00fe1399f78ff0a8eec1b2389d5662a8b16eb6f93358b9d339ae004cc00a568c0703f203fcc3044c079dc

Download Submit
memory/1904-0-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4648-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download