d48c3ad01262cd7d4a3d1c777937fb38e96c47ab19f53dbd5dda1fe1cdb3f76b

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
736	$_3_.exe
736	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
736	$_3_.exe
736	$_3_.exe
736	$_3_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 2664	736	$_3_.exe	89
PID 736 wrote to memory of 2664	736	$_3_.exe	89
PID 736 wrote to memory of 2664	736	$_3_.exe	89

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6213.bat" "C:\Users\Admin\AppData\Local\Temp\8D2A59AD32B24D9FA4FE67C57B4D84E1\""
  2⤵
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\$I8AI92D

Filesize
98B

MD5
1b7c3dfb0cdb91a67ba98bd5d888a99e

SHA1
29fd9257679450ecf209074366288e6760354b03

SHA256
87cfbb13a68084cf24d8c233c8361bca917538cb06d9c1540d77a02ffe0ddede

SHA512
6a0a7ba389222d677e320ee8551fbde6f5e37b045a5e58b30911b292720d59296684408e6b0d3cc2e9dee1f59a74e325b509d8b76484bb07cf97281bf07c8c63

Download Submit
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\$IVB2634

Filesize
98B

MD5
9eef1b330d57224d98fd276638a58120

SHA1
162a49de9f7dac3c47db4fe36fd0602dd81c7046

SHA256
c72c8b204794459efb85e7803ef65ed2b4831ca269a4788c197fddb6c566727f

SHA512
840c1c24d99e70b71c559e94005a7ebb0dcbce57c462ad2bde12a1350f31c335408457d622932f7538b33aecab79563ff92f614fec38042f6614ce177dbfe70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6213.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D2A59AD32B24D9FA4FE67C57B4D84E1\8D2A59AD32B24D9FA4FE67C57B4D84E1_LogFile.txt

Filesize
2KB

MD5
5c5150126968e9d9f2949d391f53e19a

SHA1
68f78f190c6ea869e6b29be96f14b97633f30456

SHA256
ebc440e217eea5ab70736402e8eebfbaad0345999b8661b90f546218eadab707

SHA512
b7eaea67b0cc25a82fcda30003c2e3ef0cedf2683408a6bcf64aae6c369d202b3834ababfd3ef1c3bc170e11898cc7a64af16cfc6f90bf1792876267c0a7c7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D2A59AD32B24D9FA4FE67C57B4D84E1\8D2A59AD32B24D9FA4FE67C57B4D84E1_LogFile.txt

Filesize
3KB

MD5
093677a263867a31291caede31509fc0

SHA1
a19a6a37102872e839e76114b3ad4fb5ad96be65

SHA256
dec107bd6fd882bc1f1f43fe81439a3006839a714adfb2dfe97fddc75df2febf

SHA512
131679163c5d2027d3c164e1d0d0f4dadb1992c2fc5ac4e64032e403ad9d64acdb41150943986f69cbc94ac6c32a817aeb5154e2a37036ced2e7c5e95b8a3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D2A59AD32B24D9FA4FE67C57B4D84E1\8D2A59AD32B24D9FA4FE67C57B4D84E1_LogFile.txt

Filesize
2KB

MD5
4f4e0971bc4ad8c686ca0eceff5c3bfb

SHA1
4a4330ce93fe52015485f0bbf0fb7680f3058f33

SHA256
ffd092517e2cc90ed3c3d7402474088e167cec3e82b4df2363e3f2e96e36c76e

SHA512
c9730c19dade9d3a6e3fce1b8dcfd908e2355a5b72cdef649056e4dbad297b3d473e32816a460afe1a6228844234e524e4b76d44a1e2e75a668c71e832ed068e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D2A59AD32B24D9FA4FE67C57B4D84E1\8D2A59AD32B24D9FA4FE67C57B4D84E1_LogFile.txt

Filesize
4KB

MD5
1f7e36d0f267e33f6068b399b55b3b77

SHA1
43e9ad2d8ddf6a8a6a2ee3dcdd656b2c2e1e0be8

SHA256
bb7fab1a6c211278a3cb6da5e3eabaf54a10b45594abf0bf8a7c69d7255ad144

SHA512
904f76765a0142b3059c4e4bd2587edfaae61ff4d3ce5d4075a1c0ddc12c5349695e426c36c18747a4103baf7acac5a09a39ea4ca0629be0e629c9f1dfbce3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D2A59AD32B24D9FA4FE67C57B4D84E1\8D2A59~1.TXT

Filesize
27KB

MD5
15081a07bc1faccaed6dd26db8f638e0

SHA1
c818eb636dede655877f19ea1515366ef9488c6f

SHA256
1dd9eecbc85d65e510823ae52b04c519430e9157a5f614d5a1db4c14e8e5653c

SHA512
6b8e22cc0732a8ee2926d530ca99432fa63715492b6649d63cfa9c967bc1658e80d151b25f5e083c2ed4b4cc1b495cf238c2468262f0ec7deefb16140d344769

Download Submit
memory/736-63-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/736-195-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download