c2bb5f207bed5f7d3e36826812a96a194083b098abc7d298736a240ac2d949e3

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2bb5f207bed5f7d3e36826812a96a194083b098abc7d298736a240ac2d949e3.exe
Size

13.4MB
MD5

2c0fa27116ef49b74685c24f18fc727b
SHA1

2012f58c109fc87054dd6b558cba58cabfa3eeec
SHA256

c2bb5f207bed5f7d3e36826812a96a194083b098abc7d298736a240ac2d949e3
SHA512

bf1eb74b3e80f53536e21a9692bb8a9db699452b759cf7a75085260e71631b0ccdc71c1f782977bb95112083a09934683176a15e8b3df6b945b7020b4d5eadc2
SSDEEP

196608:m1Pr0ExUeobdFncXTSOqsGVUqcy4PZCML4Tj5Tptl4vLFib+Ntr+6DpQxod9wYgv:kPrVxUeobdFcD9gjcyXHCg+NUepQC9Y

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c2bb5f207bed5f7d3e36826812a96a194083b098abc7d298736a240ac2d949e3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	c2bb5f207bed5f7d3e36826812a96a194083b098abc7d298736a240ac2d949e3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2520	3192	c2bb5f207bed5f7d3e36826812a96a194083b098abc7d298736a240ac2d949e3.exe	92
PID 3192 wrote to memory of 2520	3192	c2bb5f207bed5f7d3e36826812a96a194083b098abc7d298736a240ac2d949e3.exe	92
PID 3192 wrote to memory of 2520	3192	c2bb5f207bed5f7d3e36826812a96a194083b098abc7d298736a240ac2d949e3.exe	92
PID 2520 wrote to memory of 2448	2520	WScript.exe	93
PID 2520 wrote to memory of 2448	2520	WScript.exe	93
PID 2520 wrote to memory of 2448	2520	WScript.exe	93

C:\Users\Admin\AppData\Local\Temp\c2bb5f207bed5f7d3e36826812a96a194083b098abc7d298736a240ac2d949e3.exe
"C:\Users\Admin\AppData\Local\Temp\c2bb5f207bed5f7d3e36826812a96a194083b098abc7d298736a240ac2d949e3.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bat.bat
    3⤵
    PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bat.bat

Filesize
36B

MD5
da80cd1b0d1bf6145a62d72ba26cea9f

SHA1
157d08a6014dde2bfcc40bd35e3358d6730d4888

SHA256
566869d5334d1634a096a9522314beb691e337e9903ec8e172435b10e531516d

SHA512
2312ce08a59cd9c4a74de25e6af426a2216c3c46f17a31ad8f6cda485a354effca845165fd72d71847395c3280c0f43c486ba4baa9e192e322d502004fcc4668

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs

Filesize
89B

MD5
dc06d3c7415f4f6b05272426a63e9fd1

SHA1
2a148ec726cde2a19222c03ebf2cf48e8a5c171f

SHA256
101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

SHA512
d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

Download Submit