b584e51d2963e09d6131b4478278aae81f8671eab799780a03a85b37b0546844

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4132	$_3_.exe
4132	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4132	$_3_.exe
4132	$_3_.exe
4132	$_3_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 4416	4132	$_3_.exe	88
PID 4132 wrote to memory of 4416	4132	$_3_.exe	88
PID 4132 wrote to memory of 4416	4132	$_3_.exe	88

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\15914.bat" "C:\Users\Admin\AppData\Local\Temp\7279DF54A02941F1892F7C5A00C85C30\""
  2⤵
  PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\$IJRMJ3Z

Filesize
98B

MD5
1eb3c2d2512607d010fde5786e2037bb

SHA1
14c938406caf8239f7d65ff87f8a033afbcd70e7

SHA256
9d1948e879c95bb0dc7fca09317c56085a5cdf9043ab412e2a065d7e0b42c626

SHA512
148a3d89c8377f8b179d91bbda719d990b75f69e24f357d59d25360d3d6d80d50e430eac255e49c442de3ff6ffd78a3e70e8462232161ce431272d4d34f9ddd6

Download Submit
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\$IK5TRJT

Filesize
98B

MD5
6e39c65881983aa9c90ff9e180d17d04

SHA1
190a80f024d5387e52910f2a6797b64b7300b5d9

SHA256
959153707cd3df2e402529cc139e7f75c1fe62af06bf30be00be362e03785273

SHA512
0f56189b775b9775a1e20412fc115e9d059aff5b8359a5bc45407881e3862247bca8291fb489454e239cf7c3b51316c169267111df8ef59cc02166c98d1613b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\15914.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\7279DF54A02941F1892F7C5A00C85C30\7279DF54A02941F1892F7C5A00C85C30_LogFile.txt

Filesize
2KB

MD5
73a2a2ae8644905d0fc0e3507ece5b7c

SHA1
bba2f0206cc16d8ced1455b6e96f53aca099e328

SHA256
0ca9a2a9d6a9b51e6e87f26d2595ba3cd6b660877e3b240f4713e1c0d2298e17

SHA512
7defaf9e8fe4ab5e9c698bece010e916dc60d0d0601a10905d66bdd232f8f98caaf16fe1c6aedbdd3133389440fdd935f23557c4bda0950580e1b82a7505c18d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7279DF54A02941F1892F7C5A00C85C30\7279DF54A02941F1892F7C5A00C85C30_LogFile.txt

Filesize
3KB

MD5
145836bab93b519b0f08891401a8d2d2

SHA1
bd2b8fc523f66aa7d1f1fb69c7418590f139e826

SHA256
ddf7a89bbb2f8e45bc73b1ea477d2bdafaeafafbba58a4965d4f4eac9550f0e1

SHA512
6db6482022b2f405a8d516c68f6e2ac306a8b9b476404d773579cb1c34fee51ab0bc3741e364e8e40de387c731d77c775fcc355367a399496bce443013c61d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\7279DF54A02941F1892F7C5A00C85C30\7279DF54A02941F1892F7C5A00C85C30_LogFile.txt

Filesize
5KB

MD5
a64f5c3ce2cb2461f367b5f37019b218

SHA1
00bd27aa5aee7ba9c8e9aab6347ffa0c793c757f

SHA256
2bcd9d000a7c60648f119f2442a4e5def8fb80e8fdab23fce0648d73c618c8ea

SHA512
f266b7a10968ca744b9755b0e38e95308ecf88e259847674829606af2caa00670d468618e95e7b18b5856090e81ca866a690ff0e4b26ea83f6e657f4b9f41dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7279DF54A02941F1892F7C5A00C85C30\7279DF~1.TXT

Filesize
26KB

MD5
190ef6fcdd164d695451d869293fc119

SHA1
7c62adbccd52806829d91e4426db10878da3ca2e

SHA256
64680576c6342e7046e15e81b3c73decd74a0c9731e3bf157dd668772c8be17d

SHA512
897d2ca823cc730bf2213bace6c4eb4cd908c66db96bf73e65ee335ed2ed75cafce42c23f5dc44c5bf47f8549a4fe9b8ada0e6b59d564a8c31e88d1a73d3504d

Download Submit
memory/4132-65-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/4132-191-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download