b43596d5a955b11ebd7dd3fae2858419ddb1b9c6a40264a78b207d3081248a99

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfb48e49bd464f09c5b3563c3f3d81ef.exe
Size

36KB
MD5

cfb48e49bd464f09c5b3563c3f3d81ef
SHA1

cbc19f1ae78498a3944781b565ff06af647ec09b
SHA256

b43596d5a955b11ebd7dd3fae2858419ddb1b9c6a40264a78b207d3081248a99
SHA512

ec815c159d03a509356421fe52698096ec799990ceccf2d035025ca66d3bf07b149e72ada8149e96edb134161a6b400067531d21964e70f9518870c4f12c8994
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSzn1KkZCb9q8Iujdxy:b/yC4GyNM01GuQMNXw2PSj1Pqq8By

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	cfb48e49bd464f09c5b3563c3f3d81ef.exe

Executes dropped EXE 1 IoCs

pid	Process
3652	retln.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 3652	448	cfb48e49bd464f09c5b3563c3f3d81ef.exe	87
PID 448 wrote to memory of 3652	448	cfb48e49bd464f09c5b3563c3f3d81ef.exe	87
PID 448 wrote to memory of 3652	448	cfb48e49bd464f09c5b3563c3f3d81ef.exe	87

C:\Users\Admin\AppData\Local\Temp\cfb48e49bd464f09c5b3563c3f3d81ef.exe
"C:\Users\Admin\AppData\Local\Temp\cfb48e49bd464f09c5b3563c3f3d81ef.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
36KB

MD5
2870da26b72ca7fdf203de1f42374e8e

SHA1
3e373fae374bdd27da463ade33539f515525f90b

SHA256
f8a1d9bffefbe23da060c8fbb80436837554401ef8350ba37c57f8682145efcf

SHA512
1177cbb80961dab64c54224755ea98c97e0865af383330beeb9b3232371f05f19ceb971ee83e80a8f959f848f1bc5389cfc8627b9392862ba8220ce975b99d97

Download Submit
memory/448-0-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/448-1-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/448-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3652-25-0x0000000001FA0000-0x0000000001FA6000-memory.dmp

Filesize
24KB

Download