e2ab8b11a1ae32eafb1d6c97f776bfe10400799be0c980b085470e4c254b1ed2

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2ab8b11a1ae32eafb1d6c97f776bfe10400799be0c980b085470e4c254b1ed2.exe
Size

40KB
MD5

20a6ed9677634ab398d3affeb93d580b
SHA1

05b297227a8efe6ed8902e8799594f73bb144c77
SHA256

e2ab8b11a1ae32eafb1d6c97f776bfe10400799be0c980b085470e4c254b1ed2
SHA512

a3157b22a79ff5ff848d3aa227a56fda3d31a5ad50b6ae39ff3761a792083b7c5046d04dc7247c31f5cdde92be5eb8ff203876a8b8f4711e65f03da8816f4745
SSDEEP

768:mUz4HXnmTggggggLvggggggggSvNltsdUk7Nz1XzTx6QXTDcVVht:BMH3lNMKkPzT8QsTt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	e2ab8b11a1ae32eafb1d6c97f776bfe10400799be0c980b085470e4c254b1ed2.exe

Executes dropped EXE 1 IoCs

pid	Process
4700	zzyap.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 4700	948	e2ab8b11a1ae32eafb1d6c97f776bfe10400799be0c980b085470e4c254b1ed2.exe	86
PID 948 wrote to memory of 4700	948	e2ab8b11a1ae32eafb1d6c97f776bfe10400799be0c980b085470e4c254b1ed2.exe	86
PID 948 wrote to memory of 4700	948	e2ab8b11a1ae32eafb1d6c97f776bfe10400799be0c980b085470e4c254b1ed2.exe	86

C:\Users\Admin\AppData\Local\Temp\e2ab8b11a1ae32eafb1d6c97f776bfe10400799be0c980b085470e4c254b1ed2.exe
"C:\Users\Admin\AppData\Local\Temp\e2ab8b11a1ae32eafb1d6c97f776bfe10400799be0c980b085470e4c254b1ed2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\Temp\zzyap.exe
  "C:\Users\Admin\AppData\Local\Temp\zzyap.exe"
  2⤵
  - Executes dropped EXE
  PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zzyap.exe

Filesize
40KB

MD5
565cfd6c3b5177f7d1831b1bb08f1e99

SHA1
91ea096bb6b7502d14c8e5b349144c59678548e6

SHA256
23c7a62c06821ebc7b77374cacabe74d9851fa8515aed65c36902c9acbbb46e0

SHA512
15ba893130b83614c5968f45c8627457507dcf46f1441fe474248f889c7526b75f98b4ffcd63af3d38b8baf5374d3b81498423f598f65f27c9eacb97b7e41807

Download Submit
memory/948-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4700-12-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download