31adf61f5030afa2cae1f349a12b3a757dbdd21f800c53d2679523cbfd100a96

Analysis

max time kernel
135s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31adf61f5030afa2cae1f349a12b3a757dbdd21f800c53d2679523cbfd100a96.exe
Size

279KB
MD5

2a06e8c44df8886ef0908d9cab39535c
SHA1

3526957bc6ff88e82346e777d6f1760f8d566187
SHA256

31adf61f5030afa2cae1f349a12b3a757dbdd21f800c53d2679523cbfd100a96
SHA512

362763e784824312999262eb24f27e144e9e246e18060c19114c1a2543f7109bb1db2185cd4aadbed50d5a5401fdcd41da73f8d57360966f20d0adfac1d2360b
SSDEEP

6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKK:boSeGUA5YZazpXUmZhZ6SK

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

31adf61f5030afa2cae1f349a12b3a757dbdd21f800c53d2679523cbfd100a96.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	31adf61f5030afa2cae1f349a12b3a757dbdd21f800c53d2679523cbfd100a96.exe

Executes dropped EXE 1 IoCs

Processes:

a1punf5t2of.exe

pid process

212 a1punf5t2of.exe

pid	process
212	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

31adf61f5030afa2cae1f349a12b3a757dbdd21f800c53d2679523cbfd100a96.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	31adf61f5030afa2cae1f349a12b3a757dbdd21f800c53d2679523cbfd100a96.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

31adf61f5030afa2cae1f349a12b3a757dbdd21f800c53d2679523cbfd100a96.exea1punf5t2of.exe

description	pid	process	target process
PID 1112 wrote to memory of 212	1112	31adf61f5030afa2cae1f349a12b3a757dbdd21f800c53d2679523cbfd100a96.exe	a1punf5t2of.exe
PID 1112 wrote to memory of 212	1112	31adf61f5030afa2cae1f349a12b3a757dbdd21f800c53d2679523cbfd100a96.exe	a1punf5t2of.exe
PID 1112 wrote to memory of 212	1112	31adf61f5030afa2cae1f349a12b3a757dbdd21f800c53d2679523cbfd100a96.exe	a1punf5t2of.exe
PID 212 wrote to memory of 3424	212	a1punf5t2of.exe	a1punf5t2of.exe
PID 212 wrote to memory of 3424	212	a1punf5t2of.exe	a1punf5t2of.exe
PID 212 wrote to memory of 3424	212	a1punf5t2of.exe	a1punf5t2of.exe

C:\Users\Admin\AppData\Local\Temp\31adf61f5030afa2cae1f349a12b3a757dbdd21f800c53d2679523cbfd100a96.exe
"C:\Users\Admin\AppData\Local\Temp\31adf61f5030afa2cae1f349a12b3a757dbdd21f800c53d2679523cbfd100a96.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
3⤵
PID:3424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
Filesize
279KB

MD5
20c623b02fce860bb3836e99cd501a55

SHA1
3e7c0a99615c08f1696e24366acf3d18927873c2

SHA256
cc6f2a257f1fe253ebdee60322ad9c9fd0a91da1648f9d0ea6f6c32ced24aa6d

SHA512
d3a9819edcac62b8b27e582598ee4970b7b4020e7b43a0f0908e9a40a40c98900a65b319375ec075f3b18bf45ad5f508c16ebd863286426d1b4c548946d01068

Download Submit
memory/212-18-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/212-19-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/212-21-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/1112-0-0x00000000748C2000-0x00000000748C3000-memory.dmp

Filesize
4KB

Download
memory/1112-1-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/1112-2-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/1112-3-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/1112-17-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download