03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe
Size

94KB
MD5

35ac6eed58d341bacd36487d4c83f3fe
SHA1

b219ab41ca935c98496f694d5bb8bf3a5c79e0e9
SHA256

03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84
SHA512

cba6bc2bc9e062fd68cc408b03da0dde9f94cb2f8a1ae69e14c5215e244d8ebdadd15e0cad5461bbccb3e19233682104cb8bee05f6061ca627cb3bc3c38af54b
SSDEEP

1536:PGYU/W2/HG6QMauSV3ixJHABLrmhH7i9CO+WHg7zRZICrWaGZh7uje:PfU/WF6QMauSuiWNi9CO+WARJrWNZye

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe

Executes dropped EXE 1 IoCs

Processes:

wuauclt.exe

pid process

2496 wuauclt.exe

pid	process
2496	wuauclt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run"	03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe

description	pid	process	target process
PID 2680 wrote to memory of 2496	2680	03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe	wuauclt.exe
PID 2680 wrote to memory of 2496	2680	03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe	wuauclt.exe
PID 2680 wrote to memory of 2496	2680	03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe	wuauclt.exe
PID 2680 wrote to memory of 1996	2680	03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe	cmd.exe
PID 2680 wrote to memory of 1996	2680	03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe	cmd.exe
PID 2680 wrote to memory of 1996	2680	03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe
"C:\Users\Admin\AppData\Local\Temp\03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2680

C:\ProgramData\Update\wuauclt.exe
"C:\ProgramData\Update\wuauclt.exe" /run
2⤵
- Executes dropped EXE
PID:2496

C:\windows\SysWOW64\cmd.exe
"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe" >> NUL
2⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Update\wuauclt.exe
Filesize
94KB

MD5
1d02343fbe046edd43f21541d46c0a87

SHA1
1bf83c6bea92f1d436aa39f683dfb450e0621759

SHA256
eeb21040fe3487ab6e8db9058ce06348440248d493884a157e461ae1e09e91b7

SHA512
3c4067e2409e071cd2a6326a6ace3196c2fb23148c4baba21f4c355bf313ff2fc6ac38c7fcb8614bcb5a1828b1f80bbc43fcd6b27ab726e4b62b1470ad0a6ad2

Download Submit