bd686dfb1eb8a1b577f7d7dd7f5d9712e99f18532dbf16d41e65e6998cf740c0

Analysis

max time kernel
140s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 20:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bd686dfb1eb8a1b577f7d7dd7f5d9712e99f18532dbf16d41e65e6998cf740c0.exe
Size

99KB
MD5

8445b97453431864e46bcd69b0e8bf4c
SHA1

76c4e23bf404cbd8d5a54d1c5c9f741a11133baa
SHA256

bd686dfb1eb8a1b577f7d7dd7f5d9712e99f18532dbf16d41e65e6998cf740c0
SHA512

c3225bf72cfed7368ff0f46b7320758fe4d49ac2b84071349feb7a985624a7af569e4e12514448291e243a62cb1f838212702e8de64aa9beaaf9312551d69a83
SSDEEP

1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfzxy4O9:fq6+ouCpk2mpcWJ0r+QNTBfzi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	bd686dfb1eb8a1b577f7d7dd7f5d9712e99f18532dbf16d41e65e6998cf740c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 4948	3560	bd686dfb1eb8a1b577f7d7dd7f5d9712e99f18532dbf16d41e65e6998cf740c0.exe	91
PID 3560 wrote to memory of 4948	3560	bd686dfb1eb8a1b577f7d7dd7f5d9712e99f18532dbf16d41e65e6998cf740c0.exe	91
PID 4948 wrote to memory of 3584	4948	cmd.exe	95
PID 4948 wrote to memory of 3584	4948	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\bd686dfb1eb8a1b577f7d7dd7f5d9712e99f18532dbf16d41e65e6998cf740c0.exe
"C:\Users\Admin\AppData\Local\Temp\bd686dfb1eb8a1b577f7d7dd7f5d9712e99f18532dbf16d41e65e6998cf740c0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\24F8.tmp\24F9.tmp\24FA.bat C:\Users\Admin\AppData\Local\Temp\bd686dfb1eb8a1b577f7d7dd7f5d9712e99f18532dbf16d41e65e6998cf740c0.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\system32\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\hid.sed
    3⤵
    PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24F8.tmp\24F9.tmp\24FA.bat

Filesize
1KB

MD5
da9a8db30b2193eb306fd377ddc09822

SHA1
2b14a8683d1faca6bd607d0ae398cb95c36ab6f5

SHA256
9a36afba88e927c8bb2a67791db72d7575c9b89639e7b5e265b49b965d1fa34f

SHA512
2055ae22207643f89e211db4272a7c8ef559535f8c5566098cceb0f05eaddf1f0a9e93f94b38885e10b715abae17ae33855b8dbbcc19a3c3db9aecda51ca5cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hid.sed

Filesize
99KB

MD5
8188e0a03787a5eb021b74a82b82a8e1

SHA1
12624680bef8f275890a70ad3929d7c973501271

SHA256
ae933295143b4d058622fcc90011666e7352cac253f71fb67501ad1b9db2ca44

SHA512
908c961bd6d9495cca615163bcaaf0fd18f918b10e85752a0207f285e7257a6b7bc235878de20e5463dd38fe666bcd580a798fb72d1c12a5b0b4e549bab7161e

Download Submit