826245a18d2ae0a7ecefbd4dcb092d791c4df814a20d4bf469afd5d53454289a

Analysis

max time kernel
136s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1648	$_3_.exe
1648	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1648	$_3_.exe
1648	$_3_.exe
1648	$_3_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 5088	1648	$_3_.exe	96
PID 1648 wrote to memory of 5088	1648	$_3_.exe	96
PID 1648 wrote to memory of 5088	1648	$_3_.exe	96

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10759.bat" "C:\Users\Admin\AppData\Local\Temp\8881532A21E44939A1CA837216363CF2\""
  2⤵
  PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\$I9ESRIR

Filesize
98B

MD5
df7d791264e9455ab1610d37c171453d

SHA1
225853af5a85d27c781f46cbb4e29a3aab071f33

SHA256
d9e0e5985d4d91a44ca266eecefadb2ce7410660408d359eb0af4c4172897af8

SHA512
5538cd415ad691a400154a7d9c9eed52a100e6253528b222743b8643b756da3b7801715a73752c61e5e3b9361224420dd24762ce489f36243414072237f5ef9e

Download Submit
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\$IS96SHB

Filesize
98B

MD5
c721b370bb138ef169a701c1eeb55e17

SHA1
2adacf6cea32c986aaa2633fcb0adb1ab2626772

SHA256
47efd18b24f74f34aecc6a4e047bd7a17497604e24584fbbb5905f2389cbd648

SHA512
1ad2dfc810f8b3a646c4ca00e6ae59f0684b193b5a07464188eefcafdfd611b60ec1093890f94067eca1b146b55a2f59fb70692c8aa8744fa7ebc0f813b3475b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10759.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\8881532A21E44939A1CA837216363CF2\8881532A21E44939A1CA837216363CF2_LogFile.txt

Filesize
2KB

MD5
b782ecae113b7c9f34b157ecca0dbcc9

SHA1
b48d0a34d86c0d3f4011e82fec0ef7d40c716bd6

SHA256
7e6dfcef769f52e65e579c9351c8d97f84e1a2c6c80e5a2dbcaee2dc610769cb

SHA512
ca744f7f83cde31a17a36a80320aa39b2480149a70c9be70caa9c95915b3fc3b726eab5a6518430a649f1d0ab027eeda87088e8569900853f34365db8ed9e0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8881532A21E44939A1CA837216363CF2\8881532A21E44939A1CA837216363CF2_LogFile.txt

Filesize
4KB

MD5
e705f28bebed2adbdc3083c86cdeb39e

SHA1
558793e2c67216672459b6ad2cadb7b1bb6f3692

SHA256
0cad46228b8b7a6016bf786c61dfccf56c6c72f491093fc17f71391fcb2568df

SHA512
4fcf2e64341084c3e134dfd7f7284da6d1a9592c552f61952e565939954e821942e7f5503a07ffa82685521c7387ae98d415961b7b28319534d07a850caa8adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8881532A21E44939A1CA837216363CF2\888153~1.TXT

Filesize
26KB

MD5
559a84be7b5e991b092874ba88977ced

SHA1
3a4e2265d6ccb7009996209ec7741ab525fb250f

SHA256
54468f99c305ae8758b97d300c539cc9bffd12a7e4da9538715b792a12c0a810

SHA512
8980fcb123d65dc28fcb81fc96752f57bf6afc966e8b48e6cb92def2d3096878d30fdeed4d9392b708ad3946142bf5c4880f404d9c0811e064beb3a357053044

Download Submit
memory/1648-63-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/1648-197-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download