71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe
Size

102KB
MD5

dabb84c3d073199e51215fd2275c14e5
SHA1

60d8562ec6da20d7e2fb8453cebbc7df3a985c87
SHA256

71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b
SHA512

3f49c7bde724f02bf3d99bbbbecdfa1497e39ab149106ce7f97c2b9e4843ffd38b0e5e0bbbd12a73c5385270405b2137ae57a45ba5a80987d8cbdfb374cad9ae
SSDEEP

1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfzxy4Ou:fq6+ouCpk2mpcWJ0r+QNTBfzz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.execmd.exe

description	pid	process	target process
PID 3940 wrote to memory of 3572	3940	71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe	cmd.exe
PID 3940 wrote to memory of 3572	3940	71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe	cmd.exe
PID 3572 wrote to memory of 4636	3572	cmd.exe	iexpress.exe
PID 3572 wrote to memory of 4636	3572	cmd.exe	iexpress.exe

C:\Users\Admin\AppData\Local\Temp\71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe
"C:\Users\Admin\AppData\Local\Temp\71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4045.tmp\4046.tmp\4047.bat C:\Users\Admin\AppData\Local\Temp\71fa4825b0bd96a14051652d238634caf9db0559001b102ecd2f2081a23c9e9b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\system32\iexpress.exe
iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\hid.sed
3⤵
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4045.tmp\4046.tmp\4047.bat

Filesize
1KB

MD5
da9a8db30b2193eb306fd377ddc09822

SHA1
2b14a8683d1faca6bd607d0ae398cb95c36ab6f5

SHA256
9a36afba88e927c8bb2a67791db72d7575c9b89639e7b5e265b49b965d1fa34f

SHA512
2055ae22207643f89e211db4272a7c8ef559535f8c5566098cceb0f05eaddf1f0a9e93f94b38885e10b715abae17ae33855b8dbbcc19a3c3db9aecda51ca5cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hid.sed

Filesize
102KB

MD5
92d991c86da76ed71e919929729b5924

SHA1
d6fdeeedd89a68d2ba3a4e6f4a4ed523ff0bb991

SHA256
d1d29d97d9726f529131b2e0c27f4ae2efbf4c8e13dff2c9596c00d8c200722e

SHA512
bd1fa3455148c93848f3b7f30bdc80e68719b1083ed31f15dcf12373402bd1d55b92b0779764d5fed0d5bbed68735a876ca604cac21a37c00fb77b7e52d20a9c

Download Submit