58cb93ebbf4fb0ccfa194ba814b45eb4413d9122a911806ca799494a7746b971

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

77bfacca17ee1d89833b57f3a746d9a0
SHA1

aa9490c913489c5eafd02f67f875efcb56d23036
SHA256

38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52
SHA512

21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f
SSDEEP

49152:/SNY8H0ZGF5j51XdQTPRPgojx1NslvUOl/WkMWAH:oY00Z8F1XdUL

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4804	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5016	$_3_.exe
5016	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5016	$_3_.exe
5016	$_3_.exe
5016	$_3_.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 1288	5016	$_3_.exe	80
PID 5016 wrote to memory of 1288	5016	$_3_.exe	80
PID 5016 wrote to memory of 1288	5016	$_3_.exe	80
PID 1288 wrote to memory of 4804	1288	cmd.exe	82
PID 1288 wrote to memory of 4804	1288	cmd.exe	82
PID 1288 wrote to memory of 4804	1288	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\19420.bat" "C:\Users\Admin\AppData\Local\Temp\498339A5C81F42DDABC14F6B8665D38C\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19420.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\498339A5C81F42DDABC14F6B8665D38C\498339A5C81F42DDABC14F6B8665D38C_LogFile.txt

Filesize
9KB

MD5
ecd4390ce49960bfddf267677356b3fb

SHA1
08b6e7f6bd3077acc42ea8dfd5ee82dd8a807668

SHA256
91cdc26c1268068728dee4064674470e68ed29271bf2c5c047d9f7ac94a1a3df

SHA512
1c44c9c2fd484eb8bde413a1db5f24787ec6e4a26885afdc28d11f2d0ea06ac7acb1d0d99c387430d3e53ef7a58c5efd0dc6e8520da7d4bbdc290295543c6345

Download Submit
C:\Users\Admin\AppData\Local\Temp\498339A5C81F42DDABC14F6B8665D38C\498339~1.TXT

Filesize
111KB

MD5
006e339d0a05ce53b9cf5d3eeb04aef4

SHA1
74ae5bb0fcedadba36bbc6ddeb1b8766a513e33c

SHA256
8209d2e0935c9384bf685516abfa672ce553407afb564f2a5f1afd983517ca58

SHA512
8a681746b667a2bc6b376c098d21f60f502334f36854b6fd4c88f2e7e9ba9dbf25041a8437d48331c5cba6693b529059bf405a8f2fb852a5b6ed711cb52cedae

Download Submit