eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda

Analysis

max time kernel
141s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe
Size

7.4MB
MD5

6d911503abe0fe2fca7175749dfc7ab1
SHA1

a45295dc3526c9e7d6c7e221b613443a4c07ad42
SHA256

eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda
SHA512

35e2d33975454b8c4e4bcbd03f81a073f91c10325c17f45f5ece60f90cbcf004d9d4d3063695c480c89ed7682ab25b91d147e491fd8c70305b54f809854b92f7
SSDEEP

196608:v+Uz+x7JTIrJ/X6kEfUSjfQ7c46UaRsPCDvKn/M:raN5IF/eMqJ46fGKZ

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp

Executes dropped EXE 1 IoCs

pid	Process
3808	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp

Loads dropped DLL 1 IoCs

pid	Process
3808	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
1796	taskkill.exe
2164	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3808	2072	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe	82
PID 2072 wrote to memory of 3808	2072	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe	82
PID 2072 wrote to memory of 3808	2072	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe	82
PID 3808 wrote to memory of 1796	3808	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp	85
PID 3808 wrote to memory of 1796	3808	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp	85
PID 3808 wrote to memory of 2164	3808	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp	89
PID 3808 wrote to memory of 2164	3808	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp	89
PID 3808 wrote to memory of 2164	3808	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp	89

C:\Users\Admin\AppData\Local\Temp\eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe
"C:\Users\Admin\AppData\Local\Temp\eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\is-4N2CE.tmp\eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4N2CE.tmp\eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp" /SL5="$E004C,6820482,1208320,C:\Users\Admin\AppData\Local\Temp\eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /f /im PhotosRecovery.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im "PRNotifier.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-4N2CE.tmp\eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp

Filesize
2.9MB

MD5
9bbf6787cc7011eb5ab75adcbfab6891

SHA1
7f86cee0f3df676898843c72b5f955f0b955c047

SHA256
f2a193655a3f9806cc7d3321e4c1b75971568306eade06124b12917629f9e7f2

SHA512
42f9a9c19bc57b5ff1d0e3f52b66d3e31b936e9d72c60c7db3922e339aad3cabcfaeda13b37afab5f79f50acb0575ccf681fb6b5bce13602141362366bee0903

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NEV5I.tmp\isxdl.dll

Filesize
147KB

MD5
4beded47aa9b07f05a56c0f97331d1a4

SHA1
c2b4df1ad01c5f9b7fb60694312444450f285dbe

SHA256
da171a2e0eec75f372d1fc0a69be17a4a7d519908a6f75b76abe6ec7ab71d284

SHA512
488e68d604259d0d2e546edf45429ace33054dbc71098977e82b43c4c97ba341d1a4bdab4170e48a5178423183bb06ff947149cfbeb8b868b4175996b211cfc7

Download Submit
memory/2072-1-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2072-2-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

Filesize
2.0MB

Download
memory/2072-12-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3808-6-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

Filesize
2.0MB

Download
memory/3808-13-0x0000000000400000-0x00000000006EB000-memory.dmp

Filesize
2.9MB

Download
memory/3808-16-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

Filesize
2.0MB

Download