4ef2cf76837976d50710e7e011e785505a3004e481696ebb6e0ff0c27e9079ba

Analysis

max time kernel
134s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4800	$_3_.exe
4800	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4800	$_3_.exe
4800	$_3_.exe
4800	$_3_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 2748	4800	$_3_.exe	96
PID 4800 wrote to memory of 2748	4800	$_3_.exe	96
PID 4800 wrote to memory of 2748	4800	$_3_.exe	96

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\32210.bat" "C:\Users\Admin\AppData\Local\Temp\0F5F389B7E914701BF8EF5A3044FB702\""
  2⤵
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-877519540-908060166-1852957295-1000\$I0QMOZ9

Filesize
96B

MD5
e58334b37d5b1072cabcd77b6b749bd2

SHA1
1cac1cd54f06220ca0dbe0c8e832660a36051007

SHA256
334e19eaaa76011abd495810b9672e1ab8154972351306cd15285843f3a588f2

SHA512
247368e548f13974d39808c6fcb4465ebd824eaf24dad2db413e8863a5e5be60cf98ef6dca1d476136d342e7bd485fa9959547c94765450dc2d5707ed209528e

Download Submit
C:\$Recycle.Bin\S-1-5-21-877519540-908060166-1852957295-1000\$IA6ZU9R

Filesize
98B

MD5
29b02eef07434dbfbc8add4f8fe61073

SHA1
78ee57bd8baaa87b78fa2a03e9eddc43eedd7d01

SHA256
b744cf357bec678354f0758fcdec6771a957a1679ec3bb5a42a54f70d29584ee

SHA512
8a754a22e1c3c6efc1dc655ad612c382bceecae77b97587afa9324569a5da773ce51c4b746927e6c35ce19ccc2083c92d37ba3a1c20c2015bbd250f70e828add

Download Submit
C:\$Recycle.Bin\S-1-5-21-877519540-908060166-1852957295-1000\$IP4DK0E

Filesize
96B

MD5
1146246f88aacb65abb12912cb6d9805

SHA1
ed0f7c75acb13a6f4ec03b80200fc1f53e0b233f

SHA256
92f9e110d550b8d457846c4e0dd5c902c6056fe256280d799eec19c27fd22b3b

SHA512
fb358bf9a9b4791f91675a53bc223ca4d55c4b96d4ed6ea8be060287135aa5460035f9164629a55cc055f97a42ef61f0b4c656021887b403d6941f796f5629bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0F5F389B7E914701BF8EF5A3044FB702\0F5F389B7E914701BF8EF5A3044FB702_LogFile.txt

Filesize
2KB

MD5
29ca8bba856de12649575eaa0da05371

SHA1
a0fa6a6da26ded183dfd3ba28e5e33645ab2edcb

SHA256
d158ece3b70ab4d4daf738383fa4723976f0091080add815531ea75c06d56594

SHA512
13fd1152b021fd2642b3e18afc80619e94ca870fa4726395268add1148ffeea632b1bf107cec7efd97a1e4630f5e569844cdc8c24c99c41efeb047f494423a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\0F5F389B7E914701BF8EF5A3044FB702\0F5F389B7E914701BF8EF5A3044FB702_LogFile.txt

Filesize
2KB

MD5
a2d98f8fa0d63298d0114cec8b363a8d

SHA1
9d2f0148018222fa045508e17ed698a5b1825f11

SHA256
fe311bb5696adf04c9ac404970aecdf2e59be668c34c5f973fe3c530c4513df0

SHA512
c8df07980b0d34c8ad01d88c860c9a3d0b0890775eff08e9efbd4fe1464067111eb76bb090f02f9f2df1b7c928c33a3ce158c6f092d7526e609e1412a6a0d088

Download Submit
C:\Users\Admin\AppData\Local\Temp\0F5F389B7E914701BF8EF5A3044FB702\0F5F389B7E914701BF8EF5A3044FB702_LogFile.txt

Filesize
3KB

MD5
87ffffb32a690f5a239a555c7fec0664

SHA1
5fd0d57a27649574edf9622487c3ecd2dde348e9

SHA256
9e9e4ca9f077b08fe5295a6b71b5c8e90fe51f70149f6b776395231c3e9ffd7f

SHA512
8031311472254dec951fa2c7c19ffe125cc5715890d709540b4a1c0d0cd1788703d1357593d0921beef0c75a4fb1f40d4bf2c65ca067e0998348c8982e8fac26

Download Submit
C:\Users\Admin\AppData\Local\Temp\0F5F389B7E914701BF8EF5A3044FB702\0F5F389B7E914701BF8EF5A3044FB702_LogFile.txt

Filesize
5KB

MD5
d1ae239d5b09b63a3a3784456d2c1b12

SHA1
d82232110ea4bd470c31a071a60cec9747b0a0a6

SHA256
c11850b9c7af88f63abee20667b6f12d6e166c73b6efae064c3115f75468cade

SHA512
66b65d9ab80098dcf80d26eaada6db294cc7142ea6570a167c662df6a45abf04e03a87c05232f95cb8d54941a512ced03a82c9d4336b9c2d6914e59e6106e5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0F5F389B7E914701BF8EF5A3044FB702\0F5F38~1.TXT

Filesize
26KB

MD5
1ba9de5e2405aca4bebc34009dedea14

SHA1
83552558cf34f5a618f51849c61ac033eaa6f056

SHA256
9a95e6d5cbdcefe3e98edd37fa5b7508b82ec9b15320a09b64230c8007d2b91b

SHA512
f187e61ecca5c98be19929459435901ef878dc54e0025a26bb11d0f273a000ef40204e6da1ec97ef1442b3e7afaf0d8152324cbf08285c1860d725e98fa4a6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\32210.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
memory/4800-67-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/4800-196-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download