a7fcf790b59ef1cfc8dec3655474f90cdb41a8fea6d9ae9cf0d2d8703144714a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

e35e058dd2119eb0f0e852f8738fbab5
SHA1

b7f9388398a9643eddb97a6c2ebaf28b6189c9a8
SHA256

17158e4838c580edce7f87e677531324579734a5ffbabefac8ce038030f11556
SHA512

d42ec1b3875e5a5cb23e520c2633081304d61ea282407dbb52d4b8c58bee4ccec377e291b485d6e6f5490920838c4b520fcd029897c6be4ac5da3bf19e46ac2c
SSDEEP

49152:rc4u49CbNSFXVJUtSH9zaTRpSWa6zjQWLtm5YXld:rz4GFJUtYf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2852	$_3_.exe
2852	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2852	$_3_.exe
2852	$_3_.exe
2852	$_3_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 1468	2852	$_3_.exe	96
PID 2852 wrote to memory of 1468	2852	$_3_.exe	96
PID 2852 wrote to memory of 1468	2852	$_3_.exe	96

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10273.bat" "C:\Users\Admin\AppData\Local\Temp\B963C6D4200C4685845A1642A86D8F43\""
  2⤵
  PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2818691465-3043947619-2475182763-1000\$I4NVUUW

Filesize
98B

MD5
0d300e200df883d72668b2f4299fcdee

SHA1
c22100d772cb1ded19d1f40cb5135634aaa3f873

SHA256
77fb4aebc94ba43685d98c2463f8586a724899fdb721e33af7508827649211f5

SHA512
bf0a832d5066e283918e3f2c09967d4243461894e43caa17172add05a85e22b980b5c4258a5206d3c0953683ac20670f56c61b05ffe12796fb3c4dc9c49bc501

Download Submit
C:\Users\Admin\AppData\Local\Temp\10273.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\B963C6D4200C4685845A1642A86D8F43\B963C6D4200C4685845A1642A86D8F43_LogFile.txt

Filesize
9KB

MD5
d3c6d0135563745f0b4985af009a5c67

SHA1
ec201c3b65817bb336d52858f0640bfb57fee634

SHA256
da57c420a817cfd2753ceac5f5e2c0f7b1be82aa5ed58b0106a86df7d6caa922

SHA512
92da0c9b2ff31b6eeca7c67a068e1d81831e0e297bbfaad587e0d8ddd1bb1eaa374596949a3694ca41b0decbf3c9a632163a1bd7578fefff4f81e03f7cdca283

Download Submit
C:\Users\Admin\AppData\Local\Temp\B963C6D4200C4685845A1642A86D8F43\B963C6~1.TXT

Filesize
111KB

MD5
d0e0c6bdcf0ed906c1d6a078550a9060

SHA1
60e86a1c96df26ba197995f991f2be1a80050974

SHA256
e49000d16f56ede11863e7b2a3dfc87805ea29e7eb34d2fd4c2ba08ce2ff7a7d

SHA512
c02ca684535ecaa81ad6ba2c1c3ef13f19390f0ad0b24f530a0bb755bc7fcd9c420968a5f806a462b270cb47b3c24faefe9b2c6f78d44b1228f92b7eb63b103c

Download Submit
memory/2852-67-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2852-200-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download