b4ae582fb61848d83e1e55dcc4925ea7788dba0c940c5a21157de6566342f06a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2940	$_3_.exe
2940	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2940	$_3_.exe
2940	$_3_.exe
2940	$_3_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 3624	2940	$_3_.exe	94
PID 2940 wrote to memory of 3624	2940	$_3_.exe	94
PID 2940 wrote to memory of 3624	2940	$_3_.exe	94

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\19793.bat" "C:\Users\Admin\AppData\Local\Temp\2D890ACF994B43E58917CE5454810CD8\""
  2⤵
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-259785868-298165991-4178590326-1000\$I4MMI12

Filesize
96B

MD5
277e200946d40fb537c70cad9ec3b88f

SHA1
1f95cc6d29f206772b4fae923de1dd736b889691

SHA256
970f71990ea9873e35f69356517e68155bf8ef200459a0a2dfe48455f0e8ed32

SHA512
a46ee4e35520871a7efd4c5563bcd4e882f54f8e3966c817ff87abb9e2c8eba59cc1368a3846f39ad77269e6d9d392c7493446f48ed3ffd18017f28725848fda

Download Submit
C:\$Recycle.Bin\S-1-5-21-259785868-298165991-4178590326-1000\$ISE3S8R

Filesize
98B

MD5
139763c249657aa1116c4f2fd5154c98

SHA1
cc147d951424e4df4050c0affa7d4a3ea2c29439

SHA256
931816c42136e5cf52603919681a0ca0d04160751c973842030639ea1444c67b

SHA512
5d4abceeb764097261175e71030c3e30abf9e151fde390b282654e338af090dd11fb516007867f57e5fc2e74e10330ce812329710a3209e4e00f4f4ea6e69d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\19793.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D890ACF994B43E58917CE5454810CD8\2D890ACF994B43E58917CE5454810CD8_LogFile.txt

Filesize
2KB

MD5
0d09bfacdc201ed4196ca510223f3278

SHA1
95b8df29e4854578899c1d04c546bab4935f8091

SHA256
e8695697da6f081b6b6bbc9903b0830548f0a97d34409623d94f9d7cace5c097

SHA512
276c0a4f6805ca2c1c6cb5f321636e109eb6945f47aa739d453fd0e6e25f0ca42509ac207d3967ca72cdaab522b7affb123af000710153578942894e2ffeea91

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D890ACF994B43E58917CE5454810CD8\2D890ACF994B43E58917CE5454810CD8_LogFile.txt

Filesize
3KB

MD5
158c3f2ced78a7ba28c58d0a72ddd5c5

SHA1
695d4c81ed0b6dd103a7f9e661861870f425d82d

SHA256
936bb10165faea7c12d38d6e25dee3b4b08ad811ed9120c1bf0ca3a59204f533

SHA512
a5503cacb914cc5291601c65080b3d02a61eaf9303a9d0293f9ea77194cf594f2b2779bb2dd279f9d4eaaee4c317e912dbda1e22e2b32233c1b25693e1fa00ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D890ACF994B43E58917CE5454810CD8\2D890ACF994B43E58917CE5454810CD8_LogFile.txt

Filesize
2KB

MD5
e8df60985f33cc272ce847643d1e6806

SHA1
7c2e12d6339cdf8a4ce30af0e70f77f7a19bc420

SHA256
5517c8a64c18620d2e3f711e0eb4cb3313ac9e6f2482665c8ce51932baa26432

SHA512
c616edef9b3d5e9e0f25bc24aed4849361e7caeb177ae68d1de8100d35a2b247ee14a903dfe8a19da61e2136d9c6d2ed209de7fc68b5716a96a05012364af04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D890ACF994B43E58917CE5454810CD8\2D890ACF994B43E58917CE5454810CD8_LogFile.txt

Filesize
4KB

MD5
c3bd177ee7ef5d997cc92d7aa782ceca

SHA1
46e31d4b6c9b88045e302fa50141628e9485421b

SHA256
0da4a7250d063ce97263bd26111c256dd9e041d10d5ad7cb37e19b6cdbb20a65

SHA512
406a0cf613bc6ec9cc30bf6172e795cc11cdc0a2ce4338efb3f3173abd2f74872daaebbf3f9e3add5f4d774c14e130f17c2bc71062e3c9ab91687aca89d6fc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D890ACF994B43E58917CE5454810CD8\2D890A~1.TXT

Filesize
27KB

MD5
1bd0fbc66c54abb558e2c8b2875ab218

SHA1
e2d199ced80b7bd1cd84af2c7116a5f9412888b3

SHA256
b6affab546bae32cd911ff45e81d44f9d2ac2e5168e8b8281e12027a41daf451

SHA512
74647eff1775f6df5eb888f5903f2bd5f363e0edccb4aaab546a0dbcbcb7418871b0382be6edab490a8af7ac4660dfd77cd704be3951a31640ce2488081de040

Download Submit
memory/2940-63-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2940-199-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download