1ecbd6f1f6b517575539cba00a56404fe59d9c7315824db365057b6be53ef653

Analysis

max time kernel
94s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cmd.exe
Size

89KB
MD5

d8f18b442715363eb6287a1aeae0ce12
SHA1

5375dba3752889ff04066ab7834552651315f60a
SHA256

3f6d5680d2b16df3e47568b265e6928cd921dd56308209f24b4102b60c5368b4
SHA512

5f061f18e68539228800641ebdb70cf886602f9cb053db69a1dcc2993775d11843b890a8de2d80144580b146044a7efea5b331863b78136608ac716d481d280c
SSDEEP

1536:v7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIffwKQFO9:D7DhdC6kzWypvaQ0FxyNTBfft

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 3204	4080	cmd.exe	85
PID 4080 wrote to memory of 3204	4080	cmd.exe	85
PID 3204 wrote to memory of 232	3204	cmd.exe	86
PID 3204 wrote to memory of 232	3204	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4C1C.tmp\4C1D.tmp\4C1E.bat C:\Users\Admin\AppData\Local\Temp\cmd.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\task.vbs"
    3⤵
    PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4C1C.tmp\4C1D.tmp\4C1E.bat

Filesize
88B

MD5
df4426b2e5ab08172fe52906deca6684

SHA1
ee45a12cac0d2e94914de2decffb917b490728ae

SHA256
02927f82ea4d2f0f369801aa090400c66ddb595613dc20c56bdd506011818036

SHA512
389f3ee399f39f9fd7f22a3195081075b68933222fe9921a0605e68c47236922efeda5c113a066f401b002baa93a96e1686b096e27896c504c153230beee8cb1

Download Submit