55ce783dfb77a157fecb17badf27b31d8c12e2fa5d4b6eb7b3688d75f6a093d9

Analysis

max time kernel
124s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16738f935ca7f46892781854eb9d761a.exe
Size

49KB
MD5

16738f935ca7f46892781854eb9d761a
SHA1

95f9d9abc25a42a4611bc80bb91b20c9920cfd93
SHA256

55ce783dfb77a157fecb17badf27b31d8c12e2fa5d4b6eb7b3688d75f6a093d9
SHA512

2d4319dd6d57a7e91d16d611dc1887652b46ae28fb704ea651f3a49afb5e92061a911497a117263c50dbaf8e6b0c0e8542e6189685327e7de239ee6ac7d0a462
SSDEEP

768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqPhqlcnvhx5/xFRkHu:6j+1NMOtEvwDpjr8hhXiO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	16738f935ca7f46892781854eb9d761a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	misid.exe

Executes dropped EXE 1 IoCs

pid	Process
3192	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 3192	1808	16738f935ca7f46892781854eb9d761a.exe	87
PID 1808 wrote to memory of 3192	1808	16738f935ca7f46892781854eb9d761a.exe	87
PID 1808 wrote to memory of 3192	1808	16738f935ca7f46892781854eb9d761a.exe	87

C:\Users\Admin\AppData\Local\Temp\16738f935ca7f46892781854eb9d761a.exe
"C:\Users\Admin\AppData\Local\Temp\16738f935ca7f46892781854eb9d761a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
49KB

MD5
96db1f6d70207d17c626b2d2b690f26c

SHA1
84afb080abeea22628d3b91ee209062e2dd06a96

SHA256
583142c5f00d791028cf1f31607cbdeee2dba24f16996b89b8732e33ee492405

SHA512
f9a2a6094b552e988a2c75959b3d05155814133d64e1d4c6442a3cab260820f2398334a7f231c67c980ba93eca8f80bd49f3c48b8b4597f82d54f702c7c54eca

Download Submit
memory/1808-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1808-1-0x00000000021C0000-0x00000000021C6000-memory.dmp

Filesize
24KB

Download
memory/1808-2-0x00000000021C0000-0x00000000021C6000-memory.dmp

Filesize
24KB

Download
memory/1808-3-0x00000000020E0000-0x00000000020E6000-memory.dmp

Filesize
24KB

Download
memory/1808-18-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/3192-20-0x0000000002100000-0x0000000002106000-memory.dmp

Filesize
24KB

Download
memory/3192-19-0x00000000020E0000-0x00000000020E6000-memory.dmp

Filesize
24KB

Download
memory/3192-58-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download