afa118c72b12db14fd7ab526a2e9018ea68cabfe1107202fa6ee43e5d927e124

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afa118c72b12db14fd7ab526a2e9018ea68cabfe1107202fa6ee43e5d927e124.exe
Size

56KB
MD5

004c9a309659a4fdcf25aae8083e4da2
SHA1

88483a4555ea6ab2609049863b0dac24cb8056dc
SHA256

afa118c72b12db14fd7ab526a2e9018ea68cabfe1107202fa6ee43e5d927e124
SHA512

1cdbb0aaa75c9d23359ca6ea9db4a70c2a69dd9125e55be6365eef065804f6edc1d5e3a82157d576bba316f7e65a38b71ae783f5c2fe876410bb15a8d2d3fd6b
SSDEEP

768:EyW1yBtObv0U/xwPp0EoooiYECG2nZF5sZVcmxSHZFQQm:24Bobv7aB0EooYEC3rUVcYEZF9m

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

afa118c72b12db14fd7ab526a2e9018ea68cabfe1107202fa6ee43e5d927e124.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	afa118c72b12db14fd7ab526a2e9018ea68cabfe1107202fa6ee43e5d927e124.exe

Executes dropped EXE 1 IoCs

Processes:

zbhnd.exe

pid process

3024 zbhnd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3024	zbhnd.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

afa118c72b12db14fd7ab526a2e9018ea68cabfe1107202fa6ee43e5d927e124.exe

description	pid	process	target process
PID 1612 wrote to memory of 3024	1612	afa118c72b12db14fd7ab526a2e9018ea68cabfe1107202fa6ee43e5d927e124.exe	zbhnd.exe
PID 1612 wrote to memory of 3024	1612	afa118c72b12db14fd7ab526a2e9018ea68cabfe1107202fa6ee43e5d927e124.exe	zbhnd.exe
PID 1612 wrote to memory of 3024	1612	afa118c72b12db14fd7ab526a2e9018ea68cabfe1107202fa6ee43e5d927e124.exe	zbhnd.exe

C:\Users\Admin\AppData\Local\Temp\afa118c72b12db14fd7ab526a2e9018ea68cabfe1107202fa6ee43e5d927e124.exe
"C:\Users\Admin\AppData\Local\Temp\afa118c72b12db14fd7ab526a2e9018ea68cabfe1107202fa6ee43e5d927e124.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
"C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
2⤵
- Executes dropped EXE
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

Filesize
56KB

MD5
ed4f1d4e1d081aaf42dacddafceba2de

SHA1
cb9d93ca53cd1ce1d295268d608e419e801a7d95

SHA256
bf7ed8f092cfc2efc85a7980a7654844938b09dc751239f27f9f57f53e35aea8

SHA512
e1e161b0751b1864e4f2320efe6e72b5ec0592d603125560bec411aa53e2e9866081579195401ed3fbcfaf0b1270cbe11aa2c4388f15f4c438a2bcbdba360161

Download Submit
memory/1612-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1612-2-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1612-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3024-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download