448503a54b7884e050378fb717a3e5bf590c03c31693b6a773afe0e35e9fcc1c

Analysis

max time kernel
94s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4800	$_3_.exe
4800	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4800	$_3_.exe
4800	$_3_.exe
4800	$_3_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 2864	4800	$_3_.exe	86
PID 4800 wrote to memory of 2864	4800	$_3_.exe	86
PID 4800 wrote to memory of 2864	4800	$_3_.exe	86

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\24607.bat" "C:\Users\Admin\AppData\Local\Temp\7FC77550A4E14579BD50E4DA458E248A\""
  2⤵
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2447855248-390457009-3660902674-1000\$IA2Y796

Filesize
96B

MD5
cb9cbb99b7cb299cf1f7b4b86a45cf83

SHA1
35e7b2495214c4c2b3b046343257d0ffacdbb824

SHA256
1750ce18a824ecbc2903b4d2431c943d24f55e27e5a64885e4fa1085a0d81e4d

SHA512
8343ab28eb48afd0dfd1206ffad7321938c95e90d29a1e4147afdb569366c2cfb90baaa17f79e8aff6838397554acde86a9f818f3042547bf5a86a39a1ff5923

Download Submit
C:\Users\Admin\AppData\Local\Temp\24607.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FC77550A4E14579BD50E4DA458E248A\7FC77550A4E14579BD50E4DA458E248A_LogFile.txt

Filesize
4KB

MD5
e41eb5fccc552032954272125e751218

SHA1
3d90fafee4abdde006beb4e59962016da0df5784

SHA256
84ee580b2857c8bebd07e07edc0688b5ccea5e03c9a53938064438e8422e42aa

SHA512
55ec17062b09f3db6eeaff7e40054f5a5b3a7dbcf380af421dda5bfdff8fd7664482866e4ba987a4dec30dbd7c529f98d36dd05c717d5448ca57b116bf30b57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FC77550A4E14579BD50E4DA458E248A\7FC77550A4E14579BD50E4DA458E248A_LogFile.txt

Filesize
2KB

MD5
8c1f8d3b9f727948d81c7c6df7cbca8b

SHA1
3195a3ac8f8a09187b99c478c4dcb6c297186e1d

SHA256
f889909822dd72ecb6c689258d158f88dc730d933a35586fbba74d739e5474f5

SHA512
dfafc89e60c3945013e4cb24c6b8b4e434bde821dcdd6b66976279d88f644d501c5b36baa05fa5e4f1fdb8ad516c09d54b622ad50ce0f834b24b029ee5dd2ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FC77550A4E14579BD50E4DA458E248A\7FC77550A4E14579BD50E4DA458E248A_LogFile.txt

Filesize
5KB

MD5
6c6fcb216e096848aa97002cbe7109a0

SHA1
f350156aeb8c690924565cd98a4f657f46b62108

SHA256
c598f1fa567ebf96b4b59d6bc83a196eb3e58a44888874f52152447a12615fd5

SHA512
d15356b7e39da81504b1148d8897282b3af0da0861027ff16a5a840cbb2efe3358fd701c27fe964471caa1bc77ca44b15f28ef6929b22290b7f52c0727cd6ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FC77550A4E14579BD50E4DA458E248A\7FC775~1.TXT

Filesize
27KB

MD5
b70ce98feaec3b3433b9495c0924cc45

SHA1
bf34f0eaec428bbe2ecab2cf25cc17e0c019ca15

SHA256
29b2b6022184df069caa6ef1c8b56f8291ee84ea7155b8583f84c5ffb2c2a17e

SHA512
56816ec74d447b018eeed11f7af2d20fc82f87cdafa89832ccfd381f930ad1b2e9bfb727de581854ec562dec204b7d5720f1248b783964a661336cb89f5e5dc7

Download Submit
memory/4800-65-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

Filesize
4KB

Download
memory/4800-196-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

Filesize
4KB

Download