9d87ddf980a5b7ee64bce85e5b89d216049882392d256a9551ca55b832543347

Analysis

max time kernel
91s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

887771f6f47ea2eb0da1a61374594e08.exe
Size

317KB
MD5

887771f6f47ea2eb0da1a61374594e08
SHA1

63d4e9ae741aa51b5271850da1103db1dd173006
SHA256

9d87ddf980a5b7ee64bce85e5b89d216049882392d256a9551ca55b832543347
SHA512

8483cf9a8060f1ebc7447022b815eb35397532a12f042ea043ae3549369527c6076a0e5507f11b9bc013a3e199a26c825160603569a5b02aeeb9381e17eb5524
SSDEEP

6144:+0YjywDhq1doBLbii5bkgVuN+xSKV7Wkrsf7LsOSfXVB8KC9br:+0AywDhwdiXikbkgaISKVJXv8z9X

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	887771f6f47ea2eb0da1a61374594e08.exe

Executes dropped EXE 1 IoCs

pid	Process
3064	ACFEB1DF-5926-4B62-AB80-BF84B853CBD3.exe

Loads dropped DLL 1 IoCs

pid	Process
2664	887771f6f47ea2eb0da1a61374594e08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 3064	2664	887771f6f47ea2eb0da1a61374594e08.exe	82
PID 2664 wrote to memory of 3064	2664	887771f6f47ea2eb0da1a61374594e08.exe	82
PID 2664 wrote to memory of 3064	2664	887771f6f47ea2eb0da1a61374594e08.exe	82
PID 2664 wrote to memory of 5020	2664	887771f6f47ea2eb0da1a61374594e08.exe	88
PID 2664 wrote to memory of 5020	2664	887771f6f47ea2eb0da1a61374594e08.exe	88
PID 2664 wrote to memory of 5020	2664	887771f6f47ea2eb0da1a61374594e08.exe	88

C:\Users\Admin\AppData\Local\Temp\887771f6f47ea2eb0da1a61374594e08.exe
"C:\Users\Admin\AppData\Local\Temp\887771f6f47ea2eb0da1a61374594e08.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\eaeeddbb-6270-4ab9-ba75-b06d6e8af67a\ACFEB1DF-5926-4B62-AB80-BF84B853CBD3.exe
  "C:\Users\Admin\AppData\Local\Temp\eaeeddbb-6270-4ab9-ba75-b06d6e8af67a\ACFEB1DF-5926-4B62-AB80-BF84B853CBD3.exe" -y -p30C57DBF-B95B-41E3-AC15-6157AD2482D4
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Local\Temp\eaeeddbb-6270-4ab9-ba75-b06d6e8af67a\start.hta
  2⤵
  PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eaeeddbb-6270-4ab9-ba75-b06d6e8af67a\ACFEB1DF-5926-4B62-AB80-BF84B853CBD3.exe

Filesize
204KB

MD5
a1a843901ee01d5c31a928348389fc07

SHA1
f76866220943028a927b8dc8f54620cb0dd41f2e

SHA256
1b81876a2bc0a704a290d120a9c7602242458ae0ca1ddf7e07035795acd46357

SHA512
aa24002104e9f064fa23da297989b0187ec2e79661e2d80a29f244d727c7ebbce9b44d46f966d84edae2fb64b6d25a4d1f968ab8c0e65a578a09b1915d5f963a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaeeddbb-6270-4ab9-ba75-b06d6e8af67a\helper76978.dll

Filesize
122KB

MD5
b3a99f2a72af563cf6dd5f46a55d162f

SHA1
b89a64ed854d6cd18b81f4d5e084915037ec83b9

SHA256
e8176dcf60d23548af81ed56a7772c0901eb4f962d7921ad8a0e99741e2b97c0

SHA512
0fdf9e259fc9581e3add9b852d8ff2d12f1e583576bef9c449645e3b5ecf1ec8cccb1771ccb9afb569dbbd61d122c2b2db7d71cc2c2de298234915ca6a5bd578

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaeeddbb-6270-4ab9-ba75-b06d6e8af67a\loader.gif

Filesize
1KB

MD5
e88ebd85dd56110ac6ea93fe0922988e

SHA1
684a31d864d33ff736234c41ac4e8d2c7f90d5ae

SHA256
379d1b0948f8e06366e7bcd197c848c0cc783787792f2224f98c16b974d920eb

SHA512
211b0760c9a887fc13c479617daeb6d5b6ee0ccd06c214967abd3e1f14204f72e34a6dd5eb778a9fc6ac7fc8bd63bdef80b347abab97becda16924cb3e164dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaeeddbb-6270-4ab9-ba75-b06d6e8af67a\start.hta

Filesize
1KB

MD5
9bbdda852677117290a7a3f130638079

SHA1
48390e93abf77599ae64023160cb8ae143189777

SHA256
6e8fcc04c8bf6e07448f7bd47cb304f374873045355b66e160db965ca9685f34

SHA512
1d94b9074ac16cc84b76209a258313282437019838c6b759f8e1c9a665ea104b1e5d197c42b5896b4d89fe7087501017d13a5912272084592c5a218dc635aaa9

Download Submit