0a34c91109c20b40a5271a10f42c337abce3e9455bb789c844f8f5c05ef068f6

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a34c91109c20b40a5271a10f42c337abce3e9455bb789c844f8f5c05ef068f6.exe
Size

36KB
MD5

bf047b42d7a25a2b5c4c1e68c43c6083
SHA1

2805043d71329c172e37010767380774c70671b5
SHA256

0a34c91109c20b40a5271a10f42c337abce3e9455bb789c844f8f5c05ef068f6
SHA512

565a45703c15ab1777b9a9f61147df39da0b0d98b668eb8ecac3679de3c1d488ab1a17ebf65a6e754b000a1c1b39de93fa5c2378eb025ef5b399159fb3fabd41
SSDEEP

768:T4j7YBkweh63h7iQroC8XtgZnRl2zVBDj9sW3doLobvdFlhWTlKwg1dFY4gu:sj8vs63h7iQroCgtg4KIH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	0a34c91109c20b40a5271a10f42c337abce3e9455bb789c844f8f5c05ef068f6.exe

Executes dropped EXE 1 IoCs

pid	Process
3220	storti.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 100 wrote to memory of 3220	100	0a34c91109c20b40a5271a10f42c337abce3e9455bb789c844f8f5c05ef068f6.exe	85
PID 100 wrote to memory of 3220	100	0a34c91109c20b40a5271a10f42c337abce3e9455bb789c844f8f5c05ef068f6.exe	85
PID 100 wrote to memory of 3220	100	0a34c91109c20b40a5271a10f42c337abce3e9455bb789c844f8f5c05ef068f6.exe	85

C:\Users\Admin\AppData\Local\Temp\0a34c91109c20b40a5271a10f42c337abce3e9455bb789c844f8f5c05ef068f6.exe
"C:\Users\Admin\AppData\Local\Temp\0a34c91109c20b40a5271a10f42c337abce3e9455bb789c844f8f5c05ef068f6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:100
- C:\Users\Admin\AppData\Local\Temp\storti.exe
  "C:\Users\Admin\AppData\Local\Temp\storti.exe"
  2⤵
  - Executes dropped EXE
  PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\storti.exe

Filesize
37KB

MD5
93d430a275aad5beb7e544c09844aa9b

SHA1
85c9ea23afee96a0ea60e52309eb970d5d4f7662

SHA256
32800ee1ba1e7d860cfe15fbec543a730b596a998df90bad8bf3dd04df6ea8e3

SHA512
ab72b0c0f499b62d5ec5ffcc470f3a67abadf012dd2f7a7babc6ef7ec7a9212d5fb87dc8a6cdd0a989c862e38c0364e2d43a05357c0ca5e810133da14ef08d32

Download Submit
memory/100-1-0x0000000004000000-0x0000000004006000-memory.dmp

Filesize
24KB

Download
memory/100-0-0x0000000004000000-0x0000000004006000-memory.dmp

Filesize
24KB

Download