ddf2c1b35938520651cf875fc626c08299f7c7f4522dbd6070144c1d21e17fb3

Analysis

max time kernel
135s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddf2c1b35938520651cf875fc626c08299f7c7f4522dbd6070144c1d21e17fb3.exe
Size

5KB
MD5

419358de1ad79bca53f79d65c976ca48
SHA1

9ad20c58e9a781bce7e1fb0bee3aa1773915e8e4
SHA256

ddf2c1b35938520651cf875fc626c08299f7c7f4522dbd6070144c1d21e17fb3
SHA512

86dc5166147050cc11aa4e2f509dc93319c84b258bef280afe0674c3ae21154d46391104e2d08d3bf61b57812c6974ac8b3b38af57afd909c9b7d09a6da14ae2
SSDEEP

48:qxipAmFRt/G9LeZq7szErDyP2M1rsHB/VnC/RAxUI2CS70ALNx:vSoXDOsIYxuHnnwR2UI2ClAhx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	ddf2c1b35938520651cf875fc626c08299f7c7f4522dbd6070144c1d21e17fb3.exe

Deletes itself 1 IoCs

pid	Process
1816	retro.exe

Executes dropped EXE 1 IoCs

pid	Process
1816	retro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 1816	816	ddf2c1b35938520651cf875fc626c08299f7c7f4522dbd6070144c1d21e17fb3.exe	83
PID 816 wrote to memory of 1816	816	ddf2c1b35938520651cf875fc626c08299f7c7f4522dbd6070144c1d21e17fb3.exe	83
PID 816 wrote to memory of 1816	816	ddf2c1b35938520651cf875fc626c08299f7c7f4522dbd6070144c1d21e17fb3.exe	83

C:\Users\Admin\AppData\Local\Temp\ddf2c1b35938520651cf875fc626c08299f7c7f4522dbd6070144c1d21e17fb3.exe
"C:\Users\Admin\AppData\Local\Temp\ddf2c1b35938520651cf875fc626c08299f7c7f4522dbd6070144c1d21e17fb3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\retro.exe
  "C:\Users\Admin\AppData\Local\Temp\retro.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\retro.exe

Filesize
5KB

MD5
1743e8acd0a3e538ced6faf66f629526

SHA1
a756ab37236739257e8b89c54a5f4980a6581786

SHA256
08adb8ff907e7ce23920d968e75d6fd4d5cc39484a40e943f7fec7bfab205852

SHA512
52d576e16402ed3366781bb3dc85e269633714b5a94b599a1f133cbfbb349e9fac23bbe0d81df3188905dd4272438bbc4160b30c2e341fe030037e252f39138d

Download Submit