3eefd6f5d8370463fe5abc16ca4501c81fe2a63ceb2e06fad7fcb08bcc4426d3

Analysis

max time kernel
135s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 21:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

9ab5db4bb5971035b4d287d64f9676b5
SHA1

33d17f016339572dd05c124d6243fffefd0cd039
SHA256

f2126481c02d2a5af29e56023902a0897d05867c1caaf8079cf6e1f05dd9b209
SHA512

d36262fdd4d8bd083d8537f0698c423240c9e42b2dc0048e2470d87411f295d6e3428587b76b0486875495d502f1f31f9edf3eb6fdb914f13421b7f29fa5f066
SSDEEP

49152:G0BIrT/YNRoLlps7tZokvTopSdmX4Foni7iMmdc:GbTRps7Xj

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2364	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1428	$_3_.exe
1428	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1428	$_3_.exe
1428	$_3_.exe
1428	$_3_.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 2652	1428	$_3_.exe	96
PID 1428 wrote to memory of 2652	1428	$_3_.exe	96
PID 1428 wrote to memory of 2652	1428	$_3_.exe	96
PID 2652 wrote to memory of 2364	2652	cmd.exe	98
PID 2652 wrote to memory of 2364	2652	cmd.exe	98
PID 2652 wrote to memory of 2364	2652	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\18138.bat" "C:\Users\Admin\AppData\Local\Temp\BC563725559A44368EAE07E472A970FA\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\$I23JK8X

Filesize
98B

MD5
043e3c8604def4a8985a1151de15ebcc

SHA1
b9cb65c482c6df0f6477d934703f5cc5c4d60764

SHA256
fded94cde8ebfe5e40ad5763c199c1cd549a391171357d3b703fb28e7de063d4

SHA512
82e326ad3db9af8dee72b0ace3ba1d6ab6a9b8e268270dc11ce9e0315150cb890b265b0d3bf8acd60692e88306dd6c7c49eec9a48c480c740745b70777a74c1a

Download Submit
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\$IQATNHP

Filesize
98B

MD5
12d3bada040d636d1059f58df07cf5de

SHA1
7f2a4ea5273869f63e6bda1eb89a968e29e1b9ac

SHA256
4f1c7e2c685e13bf5e72228ea8bccdafb26182ec78d924b94ce4504f8f11349f

SHA512
589182876c4aab9dea993bb06ad276b61e5edd42ffdf00370fcbf676a8a9ca0936ae29b91c6bce2f0e8fc9b0f7d499b842c14afde0af7894d1b1c90fe9f1c2ed

Download Submit
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\$IRLEVA4

Filesize
96B

MD5
bfdd15d8bf1571da026e33b400c708ac

SHA1
86469abfda94e3d35a694ceed03480253b8b7c78

SHA256
c4bc644e4480935284e471bb9fd2646b51a2c9e7834ff74aada2567caff307c6

SHA512
23e6e03a5f4c044b5a1b00c58b05adb66811d4f5340b4e3a7379077232c3148ebb022c212a98682bcd92fea46fc035b7146d53d1f0bd0a62b827e95b5d4f3aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\18138.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC563725559A44368EAE07E472A970FA\BC563725559A44368EAE07E472A970FA_LogFile.txt

Filesize
9KB

MD5
c08ad40d272a8dc1908041ff70cbf8db

SHA1
ed46b0f221ecdfab7630de1f7c662fa4e0cb9618

SHA256
e390b3089adc9943da57d7ddaf829d006b6b749312d1c913fb5bdcf01907b174

SHA512
e9dd88436100f7917874def03f5483640229ff85289e9e51ad85a76df477cfe4e3379ddcd96e7a7ed5db8449f71216c597035c8297bcd836330aaa6ec829183d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC563725559A44368EAE07E472A970FA\BC5637~1.TXT

Filesize
109KB

MD5
97e343a1811dc097fe09e3474ca1679c

SHA1
f7e4b6f919cdf900a97a84f57430a23b0e1b2c8c

SHA256
b78effb7e2ca78d97b61cfdaddc7ea98e1e83b52e0cdac60d72325bfee696cda

SHA512
600f3486a5407e15b4c018e17c95980f2dc9308cd1f8826695afbf6292440baa0c108075e402e42cb7a173a6e655d2007fd2ba95e7c10ad35731d11a89b5e756

Download Submit
memory/1428-63-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

Filesize
4KB

Download
memory/1428-197-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

Filesize
4KB

Download