afb7d884e5174a179da017d02bc7f12b87fa73240d3e94c6298afedda88589d2

Analysis

max time kernel
135s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

9ab5db4bb5971035b4d287d64f9676b5
SHA1

33d17f016339572dd05c124d6243fffefd0cd039
SHA256

f2126481c02d2a5af29e56023902a0897d05867c1caaf8079cf6e1f05dd9b209
SHA512

d36262fdd4d8bd083d8537f0698c423240c9e42b2dc0048e2470d87411f295d6e3428587b76b0486875495d502f1f31f9edf3eb6fdb914f13421b7f29fa5f066
SSDEEP

49152:G0BIrT/YNRoLlps7tZokvTopSdmX4Foni7iMmdc:GbTRps7Xj

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4956	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2188	$_3_.exe
2188	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2188	$_3_.exe
2188	$_3_.exe
2188	$_3_.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 4836	2188	$_3_.exe	96
PID 2188 wrote to memory of 4836	2188	$_3_.exe	96
PID 2188 wrote to memory of 4836	2188	$_3_.exe	96
PID 4836 wrote to memory of 4956	4836	cmd.exe	98
PID 4836 wrote to memory of 4956	4836	cmd.exe	98
PID 4836 wrote to memory of 4956	4836	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\425.bat" "C:\Users\Admin\AppData\Local\Temp\02AF7D2EAAED4C60AB7811653D58A8D9\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3726321484-1950364574-433157660-1000\$I8DQBEH

Filesize
96B

MD5
adeb5b7ef487a67f9712cbd466e7af4f

SHA1
827bd3ab881ecd08ee784f284f05fa2e4ab80171

SHA256
18b0e636d51df0fdcd51ab10ca69690494880a3d42e71ef2f389c27c6a895ac0

SHA512
624409b1220d03d9015f98757d81ee5c440e0b780e08207038cfb34669d796d3c8e748ea1c55c43f3e747b1152ea07510bb90943974d47d336ad404d9ac172da

Download Submit
C:\Users\Admin\AppData\Local\Temp\02AF7D2EAAED4C60AB7811653D58A8D9\02AF7D2EAAED4C60AB7811653D58A8D9_LogFile.txt

Filesize
9KB

MD5
ff38be8531ce7916175e7c672e307be8

SHA1
7ac36c4292d7b0861df46d2d4387b9e4ff902c15

SHA256
cdda9c6c4b91339a2b1138792d875a3b7b9d24a6e1e72e0007dc8f4ec3d2e055

SHA512
a8a5a597bbd357362d4e2ad173471e865c315eca3bb551caaa11e51a2f25cf2b2cf7665991caf9836373da13e19cffcb3a32b6e03e482d26a205f982d3e16d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\02AF7D2EAAED4C60AB7811653D58A8D9\02AF7D~1.TXT

Filesize
110KB

MD5
921ba4f4950fb34269ddd961e55ebfd1

SHA1
5b9fbfea37896c6b7630074a8d953d11fb658723

SHA256
7b82d12f8d5ae9efc483da69ad6cff0cefe9156337f6be278b4e95c04e96accd

SHA512
0b4209ac1f8f921e6d79f82669d83a2c5244fa83130b2c678f5da40f42a8377a243381fd1fe992462a03a46f77f5509d9c2f33bdda27a2bf1282e044f80e85a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\425.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
memory/2188-63-0x0000000003E00000-0x0000000003E01000-memory.dmp

Filesize
4KB

Download
memory/2188-195-0x0000000003E00000-0x0000000003E01000-memory.dmp

Filesize
4KB

Download