22664ea1e54b8ee129e1293c0c261e431bd0a2f9e864650c4c095ffa0f9a019a

Analysis

max time kernel
130s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

9ab5db4bb5971035b4d287d64f9676b5
SHA1

33d17f016339572dd05c124d6243fffefd0cd039
SHA256

f2126481c02d2a5af29e56023902a0897d05867c1caaf8079cf6e1f05dd9b209
SHA512

d36262fdd4d8bd083d8537f0698c423240c9e42b2dc0048e2470d87411f295d6e3428587b76b0486875495d502f1f31f9edf3eb6fdb914f13421b7f29fa5f066
SSDEEP

49152:G0BIrT/YNRoLlps7tZokvTopSdmX4Foni7iMmdc:GbTRps7Xj

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4220	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4012	$_3_.exe
4012	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4012	$_3_.exe
4012	$_3_.exe
4012	$_3_.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 1948	4012	$_3_.exe	93
PID 4012 wrote to memory of 1948	4012	$_3_.exe	93
PID 4012 wrote to memory of 1948	4012	$_3_.exe	93
PID 1948 wrote to memory of 4220	1948	cmd.exe	95
PID 1948 wrote to memory of 4220	1948	cmd.exe	95
PID 1948 wrote to memory of 4220	1948	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\720.bat" "C:\Users\Admin\AppData\Local\Temp\91AD5E3AD80D443EA4D33A5306BCF309\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\$ICI9L1P

Filesize
96B

MD5
deecb2b22de9eff03e8fb83bbb126e0c

SHA1
c2b2b08e73ace4ad6934683f3dc3296403910bc5

SHA256
d060e885c0d2d83556bfc947663a93e3ab1b2125791dc598960dffe85b309df0

SHA512
a22511f00e3d6f67e1f60eeb9b7e56ab191f51a9f8a36f771952492df6f41392f9facebfaebe752c640b61a01c2d53c03caa37dddbd7a74b319db0092caffa0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\720.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\91AD5E3AD80D443EA4D33A5306BCF309\91AD5E3AD80D443EA4D33A5306BCF309_LogFile.txt

Filesize
9KB

MD5
cb2fc48720cb7e38b0e960d4729edfeb

SHA1
a94491b5af59aec77b55fb442c650c3ad5edc495

SHA256
fd8a685659e710d63a3ceecaf391ccfff6c1342b8601ec3769a18ce9c236bd04

SHA512
fe64a69a96e60ef4e06692defc185539ffd3d7c52b46d77f969958e9f05141b6432c88a365389a10296502894befd979fa607d34a2b6a6408072367b56a6c3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\91AD5E3AD80D443EA4D33A5306BCF309\91AD5E~1.TXT

Filesize
110KB

MD5
28f7b8069fcc12eb2a519feabe39c203

SHA1
3e2d39265001033ea8ba9756f641e5bf64201432

SHA256
e25fb671a43dc4b273ae548da9392988f276adf8e6dbfa5617ee07ab8f90588e

SHA512
4fdab576cea90822e6da99701217e078a2b8bcbed38dfa71d55fc26bac619331b17254ebff285c396bbc554471503202fea1072743e0fc50863bf34d2e8daac3

Download Submit
memory/4012-65-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

Filesize
4KB

Download
memory/4012-199-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

Filesize
4KB

Download