66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe
Size

955KB
MD5

94f798a6cc5738e8924c9c0b3d2abb1e
SHA1

5714cb7b382dab9977c99c94294561bc42d3166e
SHA256

66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223
SHA512

7b301bddf5d8a3602805754dc995bb4ee88c957b1029e3a17a0ed10d85cc60b1c603a8953a521cae283c39e2ecf69e1253db92cc89dacd46a45d2c72837ce0e4
SSDEEP

24576:duDXTIGaPhEYzUzA0qxUAUBqG8DCRG7F9V5:ADjlabwz9M7WRG59V5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe

Executes dropped EXE 1 IoCs

Processes:

InternalLoader2.exe

pid process

4920 InternalLoader2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4920	InternalLoader2.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exeInternalLoader2.execmd.exe

description	pid	process	target process
PID 4552 wrote to memory of 4920	4552	66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe	InternalLoader2.exe
PID 4552 wrote to memory of 4920	4552	66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe	InternalLoader2.exe
PID 4920 wrote to memory of 2276	4920	InternalLoader2.exe	cmd.exe
PID 4920 wrote to memory of 2276	4920	InternalLoader2.exe	cmd.exe
PID 2276 wrote to memory of 2004	2276	cmd.exe	certutil.exe
PID 2276 wrote to memory of 2004	2276	cmd.exe	certutil.exe
PID 2276 wrote to memory of 4072	2276	cmd.exe	find.exe
PID 2276 wrote to memory of 4072	2276	cmd.exe	find.exe
PID 2276 wrote to memory of 4080	2276	cmd.exe	find.exe
PID 2276 wrote to memory of 4080	2276	cmd.exe	find.exe
PID 4920 wrote to memory of 1612	4920	InternalLoader2.exe	cmd.exe
PID 4920 wrote to memory of 1612	4920	InternalLoader2.exe	cmd.exe
PID 4920 wrote to memory of 892	4920	InternalLoader2.exe	cmd.exe
PID 4920 wrote to memory of 892	4920	InternalLoader2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe
"C:\Users\Admin\AppData\Local\Temp\66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
3⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe" MD5
4⤵
PID:2004

C:\Windows\system32\find.exe
find /i /v "md5"
4⤵
PID:4072

C:\Windows\system32\find.exe
find /i /v "certutil"
4⤵
PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe
Filesize
588KB

MD5
2582a8dfdf77e54747a2e84a27377131

SHA1
87a91b5cd34f2ed215a0092997ce2989a333b920

SHA256
38ea6534608e1496b285dadaa545a968c2b128111fc3841ba84f162f1a3f8e20

SHA512
f6193e490b95ef0ac3e2c66c2e83d8f582d4d86c4360b117a7ed11079a612ef62c2408968b96d3a55453cc0ac01b48773377ca090855650c368210235883ba3c

Download Submit