bddb2063adaf2cf358d8b51f8e38507b00e823c6a32b89b2e3b33ef0a34c1851

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bddb2063adaf2cf358d8b51f8e38507b00e823c6a32b89b2e3b33ef0a34c1851.exe
Size

53KB
MD5

fd1becd077f646f5714a4bb30f93323a
SHA1

6b3ee367f7b6af9ecdbf8c8609ba0c3e2d37d9ad
SHA256

bddb2063adaf2cf358d8b51f8e38507b00e823c6a32b89b2e3b33ef0a34c1851
SHA512

c7c6568127b02d7ece40fd48c976ea4c98706754f747155ebc1afd8dbd4dea39e79532e2b7a7e1e248e0b673e58251f0a5fa7939a9de74cab7383ec7297ce23a
SSDEEP

384:v/pohq3KaYJLVG8ZG4T3dOwY7xMR5WYKZseH54lbcnaKnmUhChKwGbxpLPs:2+A4884TtOwkQFKV/na9yrbs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bddb2063adaf2cf358d8b51f8e38507b00e823c6a32b89b2e3b33ef0a34c1851.exehfdfjdk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	bddb2063adaf2cf358d8b51f8e38507b00e823c6a32b89b2e3b33ef0a34c1851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	hfdfjdk.exe

Executes dropped EXE 1 IoCs

Processes:

hfdfjdk.exe

pid process

1316 hfdfjdk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1316	hfdfjdk.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

bddb2063adaf2cf358d8b51f8e38507b00e823c6a32b89b2e3b33ef0a34c1851.exe

description	pid	process	target process
PID 4632 wrote to memory of 1316	4632	bddb2063adaf2cf358d8b51f8e38507b00e823c6a32b89b2e3b33ef0a34c1851.exe	hfdfjdk.exe
PID 4632 wrote to memory of 1316	4632	bddb2063adaf2cf358d8b51f8e38507b00e823c6a32b89b2e3b33ef0a34c1851.exe	hfdfjdk.exe
PID 4632 wrote to memory of 1316	4632	bddb2063adaf2cf358d8b51f8e38507b00e823c6a32b89b2e3b33ef0a34c1851.exe	hfdfjdk.exe

C:\Users\Admin\AppData\Local\Temp\bddb2063adaf2cf358d8b51f8e38507b00e823c6a32b89b2e3b33ef0a34c1851.exe
"C:\Users\Admin\AppData\Local\Temp\bddb2063adaf2cf358d8b51f8e38507b00e823c6a32b89b2e3b33ef0a34c1851.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe
  "C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe

Filesize
54KB

MD5
5c82453b1cce46818b326b4729d8ebf4

SHA1
c4c60b9227929ed163a6c4be4c1604153ad5e76e

SHA256
22e76e30041427c3a9afb5b314861afc5d55749adf38eccbf4bdfe2250254789

SHA512
d2a7b3467d62ac159eb9dee4061425329d7c0cf6aea5e3017f36e311aff8d2c1e6eca9fd6a5886d2c42cd99890bcd0867bea02b71846a67c84d564af4f0f4b6e

Download Submit
memory/1316-9-0x00000000006E0000-0x00000000006E4000-memory.dmp

Filesize
16KB

Download
memory/4632-1-0x0000000000F10000-0x0000000000F14000-memory.dmp

Filesize
16KB

Download