5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5

Resubmissions

05-09-2023 01:34

230905-by5lrsch46 10

Analysis

max time kernel
88s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe
Size

783KB
MD5

dd32fbe95047642376227127eaffe815
SHA1

8d2c3539b0307816c4e0d447cb5b577cb6e15c07
SHA256

e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8
SHA512

97645a91ca1219a221ef60083adbbc07f4706030f5bc0669965fa3e53881c3422ae2aac0eb14d0dce7470ff7f06e2987d33bc7f1ee03aae93b34fa3ff81cdd49
SSDEEP

24576:yNA3R5drXP0lV4LIqzSVq1r+w/URexTF2+:L5OZzAr+0UExB1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe

Executes dropped EXE 3 IoCs

Processes:

AhmetOdem.exeAhmetoiuv.exeAhmetoiuv.exe

pid process

1016 AhmetOdem.exe
3564 Ahmetoiuv.exe
1028 Ahmetoiuv.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ahmetoiuv.exe

description pid process target process

PID 3564 set thread context of 1028 3564 Ahmetoiuv.exe Ahmetoiuv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2880 1028 WerFault.exe Ahmetoiuv.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Ahmetoiuv.exe

description pid process

Token: SeDebugPrivilege 3564 Ahmetoiuv.exe

pid	process
1016	AhmetOdem.exe
3564	Ahmetoiuv.exe
1028	Ahmetoiuv.exe

description	pid	process	target process
PID 3564 set thread context of 1028	3564	Ahmetoiuv.exe	Ahmetoiuv.exe

pid	pid_target	process	target process
2880	1028	WerFault.exe	Ahmetoiuv.exe

description	pid	process
Token: SeDebugPrivilege	3564	Ahmetoiuv.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exeAhmetoiuv.exe

description	pid	process	target process
PID 3620 wrote to memory of 1016	3620	e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe	AhmetOdem.exe
PID 3620 wrote to memory of 1016	3620	e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe	AhmetOdem.exe
PID 3620 wrote to memory of 1016	3620	e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe	AhmetOdem.exe
PID 3620 wrote to memory of 3564	3620	e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe	Ahmetoiuv.exe
PID 3620 wrote to memory of 3564	3620	e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe	Ahmetoiuv.exe
PID 3620 wrote to memory of 3564	3620	e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe	Ahmetoiuv.exe
PID 3564 wrote to memory of 1028	3564	Ahmetoiuv.exe	Ahmetoiuv.exe
PID 3564 wrote to memory of 1028	3564	Ahmetoiuv.exe	Ahmetoiuv.exe
PID 3564 wrote to memory of 1028	3564	Ahmetoiuv.exe	Ahmetoiuv.exe
PID 3564 wrote to memory of 1028	3564	Ahmetoiuv.exe	Ahmetoiuv.exe
PID 3564 wrote to memory of 1028	3564	Ahmetoiuv.exe	Ahmetoiuv.exe
PID 3564 wrote to memory of 1028	3564	Ahmetoiuv.exe	Ahmetoiuv.exe
PID 3564 wrote to memory of 1028	3564	Ahmetoiuv.exe	Ahmetoiuv.exe
PID 3564 wrote to memory of 1028	3564	Ahmetoiuv.exe	Ahmetoiuv.exe
PID 3564 wrote to memory of 1028	3564	Ahmetoiuv.exe	Ahmetoiuv.exe

C:\Users\Admin\AppData\Local\Temp\e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe
"C:\Users\Admin\AppData\Local\Temp\e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3620

C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe
"C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe"
2⤵
- Executes dropped EXE
PID:1016

C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
"C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
3⤵
- Executes dropped EXE
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 80
4⤵
- Program crash
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1028 -ip 1028
1⤵
PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe
Filesize
306KB

MD5
3ffae71fdf23a86018fdf1e1b846eb2d

SHA1
4d8aaffca026d3a0336d996c21ae392022fcb00c

SHA256
5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

SHA512
676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
Filesize
293KB

MD5
39900a5f5037440f1380eb5efbdbd70d

SHA1
c661153d06c90c848694819095de0e57bc1bef25

SHA256
ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

SHA512
19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

Download Submit
memory/3564-21-0x000000007328E000-0x000000007328F000-memory.dmp

Filesize
4KB

Download
memory/3564-24-0x00000000008A0000-0x00000000008F2000-memory.dmp

Filesize
328KB

Download
memory/3564-25-0x0000000007590000-0x00000000075DA000-memory.dmp

Filesize
296KB

Download
memory/3564-26-0x00000000052B0000-0x000000000534C000-memory.dmp

Filesize
624KB

Download
memory/3564-27-0x0000000073280000-0x0000000073A30000-memory.dmp

Filesize
7.7MB

Download
memory/3564-30-0x0000000073280000-0x0000000073A30000-memory.dmp

Filesize
7.7MB

Download