b5f524fb3ed8f651f1ef5549af543a4a6944dd12074ad91298ea8361769656ce

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 05:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

9ab5db4bb5971035b4d287d64f9676b5
SHA1

33d17f016339572dd05c124d6243fffefd0cd039
SHA256

f2126481c02d2a5af29e56023902a0897d05867c1caaf8079cf6e1f05dd9b209
SHA512

d36262fdd4d8bd083d8537f0698c423240c9e42b2dc0048e2470d87411f295d6e3428587b76b0486875495d502f1f31f9edf3eb6fdb914f13421b7f29fa5f066
SSDEEP

49152:G0BIrT/YNRoLlps7tZokvTopSdmX4Foni7iMmdc:GbTRps7Xj

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3704	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3000	$_3_.exe
3000	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3000	$_3_.exe
3000	$_3_.exe
3000	$_3_.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1636	3000	$_3_.exe	92
PID 3000 wrote to memory of 1636	3000	$_3_.exe	92
PID 3000 wrote to memory of 1636	3000	$_3_.exe	92
PID 1636 wrote to memory of 3704	1636	cmd.exe	94
PID 1636 wrote to memory of 3704	1636	cmd.exe	94
PID 1636 wrote to memory of 3704	1636	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3541.bat" "C:\Users\Admin\AppData\Local\Temp\10FF313D7FB34751B765B6ABCB460996\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\$I47TI5A

Filesize
98B

MD5
78a105012f85fc5ecc7a9b8860f4e6a1

SHA1
c92b60471f603f4dea61bed67eb1d2e1fac970f7

SHA256
691233e8611f479490f4e171b27060e0d235b705c0e4c6a085586ca709d3f93b

SHA512
548049e9af97e2991d3ce88ab0670de6020527ac02ac918e113d146f87ebbeeba241d92d44b225ef15a5a3f622defec8a66863aa3dd6bd8c518709326e2c9afd

Download Submit
C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\$IHSNCDG

Filesize
98B

MD5
be1dc9c67bbf2ac884c0e90f9827c848

SHA1
47183916e5bfc975ac25e20d97c08e2eb40d6e9b

SHA256
077d2bfae155cdb4ad9b95d5cd3850cf415616cd749c90eab5917aaa12486219

SHA512
61649451e5e28b06794e4779b69765c818db57df03860dedaf7758bb4ec5e0e28e13c87855f3569e2c758d3063b0d6409594df0b1619247b3c8e380a59c55f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10FF313D7FB34751B765B6ABCB460996\10FF313D7FB34751B765B6ABCB460996_LogFile.txt

Filesize
9KB

MD5
1cd18dc7f26210db8df25d2e28d16340

SHA1
61330392b0176dad9e9125d22693e76aecae71ac

SHA256
3d0d1058da3ee48bd1d8982e9ad7c5a6da1204b63b776f6fb2c0ff01f8db9b48

SHA512
96eb284e2a85b6b1abff0033d32412d1cf26062b00c8f3758899655c10b8c96af3024f8580a9969990caaa9ef4367b8add5e1d9ead13247ccb36bd4b49e86725

Download Submit
C:\Users\Admin\AppData\Local\Temp\10FF313D7FB34751B765B6ABCB460996\10FF31~1.TXT

Filesize
109KB

MD5
4a9e9bec6ba5d5c21ecfc8277b1736e0

SHA1
6f044457f530aced1148d6008f117606f7632fbf

SHA256
d0183bf7c73ce41a40e707d71d19f129b4cca0143f510c4ab7a3f1991bf15eae

SHA512
4130ff5e6e0c5c8890df07848bf151d103dbafc150d93a15bdca97e67c706ae15363348822092a71328033cb089194fdf485d2b40560c1310082d18643836029

Download Submit
C:\Users\Admin\AppData\Local\Temp\3541.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
memory/3000-63-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download
memory/3000-196-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download