5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5

Resubmissions

05-09-2023 01:34

230905-by5lrsch46 10

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe
Size

2.5MB
MD5

83bb427fb0c1d78cf27f7f7b3a0ddb51
SHA1

c6add026998074678ff17a77200bc9433b12e410
SHA256

d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d
SHA512

8adc548873fc57732a99f48e69716e7d74bb2abf59904b86cc0e282f1a3b37a47fe84d7d94518973960c3d079c7c739926fb35d7bb09a25a48c5f02e30a6c1d2
SSDEEP

49152:kWhSV4BfJXAEgs3OaQCU+bzbDP4Fnbo8AdmkugFtWZ/q4xCl+gbAC8J:kWhSeBfKExOaQ6vP4dW0CWZ/q43gclJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4292 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4292	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe

description	pid	process	target process
PID 5028 wrote to memory of 4292	5028	d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe	regsvr32.exe
PID 5028 wrote to memory of 4292	5028	d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe	regsvr32.exe
PID 5028 wrote to memory of 4292	5028	d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe
"C:\Users\Admin\AppData\Local\Temp\d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -U -s .\Z3UQNGA5.78
2⤵
- Loads dropped DLL
PID:4292

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Z3UQNGA5.78
Filesize
2.1MB

MD5
5dfcb241b7de6db07e66f74011f5da37

SHA1
399c362ae5ccf758ecabbc9ec71a8b653d86186d

SHA256
0874659ed8ac8d80c4b54db37480af6563009eaaf6dec8dde14c18119516149c

SHA512
86cacba0f897499ec8120435241685cdd260875ff57b1a8dbf16122d9f2d7ec38c798df1f1dda738813bfd5a332c40d10eff5a06319f35b1ea6dd51a36d6266b

Download Submit
memory/4292-4-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/4292-5-0x0000000001040000-0x0000000001046000-memory.dmp

Filesize
24KB

Download
memory/4292-7-0x0000000002E30000-0x0000000002F2D000-memory.dmp

Filesize
1012KB

Download
memory/4292-8-0x0000000002F30000-0x0000000003015000-memory.dmp

Filesize
916KB

Download
memory/4292-11-0x0000000002F30000-0x0000000003015000-memory.dmp

Filesize
916KB

Download
memory/4292-12-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/4292-16-0x0000000002F30000-0x0000000003015000-memory.dmp

Filesize
916KB

Download
memory/4292-17-0x0000000003020000-0x00000000050F5000-memory.dmp

Filesize
32.8MB

Download
memory/4292-18-0x0000000005100000-0x00000000051D6000-memory.dmp

Filesize
856KB

Download
memory/4292-19-0x00000000051E0000-0x00000000052B9000-memory.dmp

Filesize
868KB

Download
memory/4292-20-0x00000000051E0000-0x00000000052B9000-memory.dmp

Filesize
868KB

Download
memory/4292-22-0x00000000051E0000-0x00000000052B9000-memory.dmp

Filesize
868KB

Download
memory/4292-23-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/4292-24-0x0000000000E50000-0x0000000000E54000-memory.dmp

Filesize
16KB

Download