be045f260ad5d1db0ea0b250a2a8289229e7883d9c4aad024c643f3fce112d92

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be045f260ad5d1db0ea0b250a2a8289229e7883d9c4aad024c643f3fce112d92.exe
Size

279KB
MD5

b787bda97fa8cf69965437be3781e362
SHA1

431628b962e49a24f1dcf32f99012f210df08001
SHA256

be045f260ad5d1db0ea0b250a2a8289229e7883d9c4aad024c643f3fce112d92
SHA512

a00a1eacd68320971e861dc8bf98dcf16a2e0a1d0dad916eec0187501b694ec88de07b403b74f01e8f33a4d018cb1cbeb2a346a3bf72b98a0e82784948e6fc6b
SSDEEP

6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfDa:boSeGUA5YZazpXUmZhZ6ST

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	be045f260ad5d1db0ea0b250a2a8289229e7883d9c4aad024c643f3fce112d92.exe

Executes dropped EXE 1 IoCs

pid	Process
3804	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	be045f260ad5d1db0ea0b250a2a8289229e7883d9c4aad024c643f3fce112d92.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 3804	1676	be045f260ad5d1db0ea0b250a2a8289229e7883d9c4aad024c643f3fce112d92.exe	95
PID 1676 wrote to memory of 3804	1676	be045f260ad5d1db0ea0b250a2a8289229e7883d9c4aad024c643f3fce112d92.exe	95
PID 1676 wrote to memory of 3804	1676	be045f260ad5d1db0ea0b250a2a8289229e7883d9c4aad024c643f3fce112d92.exe	95
PID 3804 wrote to memory of 1872	3804	a1punf5t2of.exe	96
PID 3804 wrote to memory of 1872	3804	a1punf5t2of.exe	96
PID 3804 wrote to memory of 1872	3804	a1punf5t2of.exe	96

C:\Users\Admin\AppData\Local\Temp\be045f260ad5d1db0ea0b250a2a8289229e7883d9c4aad024c643f3fce112d92.exe
"C:\Users\Admin\AppData\Local\Temp\be045f260ad5d1db0ea0b250a2a8289229e7883d9c4aad024c643f3fce112d92.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
  "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
    "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
    3⤵
    PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Filesize
279KB

MD5
638641615008278aad28a8620fe8d32d

SHA1
22c0a82d090dc0d74b86bddd26de1e45ba7fae7b

SHA256
ec322ab714dc78b9015b8e6f69e1c2e35ba80ce9efe03f9bc1eacd3680b31230

SHA512
0c23c5231f2931bd0eb861333ec21809a9089c8ded6c87daa648786dfa732524887e34adef6f9cfb556aed80d5aa3bd34ca868a68d8ad1f27253c13261fdaf5c

Download Submit
memory/1676-0-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/1676-1-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/1676-2-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download
memory/1676-17-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/1676-16-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3804-18-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3804-19-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/3804-20-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3804-21-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/3804-24-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3804-23-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads