a5ade73cacf80906a0e898f86bc261f2ff580d34c472ce7914ea987aab5c819d

Analysis

max time kernel
138s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

9ab5db4bb5971035b4d287d64f9676b5
SHA1

33d17f016339572dd05c124d6243fffefd0cd039
SHA256

f2126481c02d2a5af29e56023902a0897d05867c1caaf8079cf6e1f05dd9b209
SHA512

d36262fdd4d8bd083d8537f0698c423240c9e42b2dc0048e2470d87411f295d6e3428587b76b0486875495d502f1f31f9edf3eb6fdb914f13421b7f29fa5f066
SSDEEP

49152:G0BIrT/YNRoLlps7tZokvTopSdmX4Foni7iMmdc:GbTRps7Xj

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

$_3_.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation $_3_.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2976 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

$_3_.exe

pid process

2884 $_3_.exe
2884 $_3_.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

$_3_.exe

pid process

2884 $_3_.exe
2884 $_3_.exe
2884 $_3_.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$_3_.exe

pid	process
2976	PING.EXE

pid	process
2884	$_3_.exe
2884	$_3_.exe

pid	process
2884	$_3_.exe
2884	$_3_.exe
2884	$_3_.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

$_3_.execmd.exe

description	pid	process	target process
PID 2884 wrote to memory of 4336	2884	$_3_.exe	cmd.exe
PID 2884 wrote to memory of 4336	2884	$_3_.exe	cmd.exe
PID 2884 wrote to memory of 4336	2884	$_3_.exe	cmd.exe
PID 4336 wrote to memory of 2976	4336	cmd.exe	PING.EXE
PID 4336 wrote to memory of 2976	4336	cmd.exe	PING.EXE
PID 4336 wrote to memory of 2976	4336	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\12512.bat" "C:\Users\Admin\AppData\Local\Temp\3848609E7DED4B869F8ED889F546214C\""
2⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
3⤵
- Runs ping.exe
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\$ILWP1IP

Filesize
98B

MD5
3cf41d80cca9ef34327d6bd7873e7ca9

SHA1
895c8eb1d56842f6015cb1b8f2b0315d724f5f4b

SHA256
7801cb9b036b9d841b3fddd108ef872a81c54359a0c0fa46ded1354f4f014ae8

SHA512
a6e54251889231c22fefa76257f38db770e6d0ba08f0b4fb4a008ba6f2832aaa186e9b2cd076e40e1c209297445f331222271f48f73f68db1d71f44ceb679340

Download Submit
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\$IUBYU6O

Filesize
96B

MD5
524e78d20622ed6cb296a6a5e0332c0b

SHA1
212c2871c27c022caf137bab2621d7f8bcc9225d

SHA256
10d01de5c482c2718e77f30754c8d7eafce255924bb8eb4945f377edfebf24eb

SHA512
b22477ddd244f6ba02f359618ea6bc0d4640756f5c9021626615ac379c8eac691d8c22b336d323a3bd8be47df19aefff0c07f7bd113a1a22854bbda617c66098

Download Submit
C:\Program Files (x86)\tempo_5629

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\12512.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\3848609E7DED4B869F8ED889F546214C\3848609E7DED4B869F8ED889F546214C_LogFile.txt

Filesize
9KB

MD5
1f2d99e773356fd5ce33947a8f317af6

SHA1
b01980a5c174c1abfec898f2982b81c6e5e95273

SHA256
1631027d7057bf3de109839ce99dd1e5c7939756ae24ac64bcbabfdecc086853

SHA512
e5d6a7b5087217fcc6b52a7c93cc7c5e480c0245814c661746a7bd768d69e807b07d8a6c69a850aa1edc5846efb67ee18e95a04a553f5b7ea14000016727ad2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3848609E7DED4B869F8ED889F546214C\3848609E7DED4B869F8ED889F546214C_LogFile.txt

Filesize
2KB

MD5
4c8872259e919b930c98ec16016114cd

SHA1
e704ce72e11b9bf465aae9b0cd8f9739195d61d1

SHA256
1b33be841b78163e3ab42aea3323b94400afb9fd1d3d54525a4e19d108c39f95

SHA512
1dece4eb4461834c9a1df25a99e78b7b0497eb0a3e204fb8a52474275f4baa860c680ab879ff02011d5c127689ad49c897b4b261c092b4678819e2a3e7a9bd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\3848609E7DED4B869F8ED889F546214C\384860~1.TXT

Filesize
109KB

MD5
4863c70a37348d8a0f75b0342ec7c6e4

SHA1
2a003f2832e617a72a82cb9134c16effc9216378

SHA256
8b79460f387acfb2a47a77687946868a4367c4b66b4432bd07157a2964800b1d

SHA512
3e9bf6ab5ea8a5d400517ecb51b88897cd6d63ab100ba6bd180d20ac67f5c6aafb0c5e46d656d051f697ac9b77e83290f37d46606930e14f2c4ff49025898a9b

Download Submit
memory/2884-63-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download
memory/2884-196-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download