4cd5e9da03cf453504bd3d4f48dd4263b27176d9fd1c66492d69ac8547ac254b

Analysis

max time kernel
115s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1872	$_3_.exe
1872	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1872	$_3_.exe
1872	$_3_.exe
1872	$_3_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2280	1872	$_3_.exe	86
PID 1872 wrote to memory of 2280	1872	$_3_.exe	86
PID 1872 wrote to memory of 2280	1872	$_3_.exe	86

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\19913.bat" "C:\Users\Admin\AppData\Local\Temp\A8F7F32A9DC0496BBAFFE222ADEC7B4B\""
  2⤵
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3169499791-3545231813-3156325206-1000\$I76FJ0F

Filesize
98B

MD5
e7eaf3cef4c3e185c23634fc9a5c9e9b

SHA1
abe46f9486eb8f25514ba7af8c68022be95e16f7

SHA256
9ef140d1135405e8e424499a9bf460cc289b1ee2712f832e47025f35c10cd115

SHA512
50bb8ad5f2b23fadf98782d2bcb6691b5ea19cc8aea85d15775166c1a38e911181075e01345fbe582af9d9a191913185dcf17708b3c0341d872dcd972ef036f0

Download Submit
C:\$Recycle.Bin\S-1-5-21-3169499791-3545231813-3156325206-1000\$IO7MK3G

Filesize
96B

MD5
e8ee2ea60f4fbd576e0d340a89253225

SHA1
979e2604b3a0174bb8fb4ff96609c175142d04c1

SHA256
0a95a81ea99ae5a8dc68fb1a7e22fe3d607fb9754758f74718571ae1fba3e6b3

SHA512
a0876a0c15bc5635a0964f6a42dac4eeafd755a8185cf05716e21de9779942310e1c968e2ac5c4db9d1db18d3c75d4b897c87fc7bc24c2378986a46a0657cfc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\19913.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8F7F32A9DC0496BBAFFE222ADEC7B4B\A8F7F32A9DC0496BBAFFE222ADEC7B4B_LogFile.txt

Filesize
2KB

MD5
f7f094033e30f6e3dd45bfdeb65e995e

SHA1
93d212b6c01bdc76e1c8cd7c5b1ecd3e51f09dec

SHA256
49ef877f873941a972f8202e7a986896a0ac93e6ed682f573f33602d9e636aa3

SHA512
6b79f386ca7518acd61599d5f0505646a6d4d8325d1c0a9c8d96811085dcf233b2a73ebb475a8d4e8c787a16c1ead1c972b1109c9876e297fc909495097d3e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8F7F32A9DC0496BBAFFE222ADEC7B4B\A8F7F32A9DC0496BBAFFE222ADEC7B4B_LogFile.txt

Filesize
3KB

MD5
7aa20163bc8b10018a7b0d8660c5cb2c

SHA1
a6d117006662e512aa4ddc5c5f709139b78d90c8

SHA256
37c5309d3638eb7187761f5061d54ffc5a7acc4003980408e59e4fa012d4605a

SHA512
7f4658f5de1ad1216102b45b332a798fd9c04502515116cae80b09106cda53ffa43c34a2b0d8347bbcfa5dce6fb8f71171dcce5f11a1830b85d01cdec673c8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8F7F32A9DC0496BBAFFE222ADEC7B4B\A8F7F32A9DC0496BBAFFE222ADEC7B4B_LogFile.txt

Filesize
1KB

MD5
70868af3b6ddea765c8d957e88c7137f

SHA1
b4824a117c7f4dc408a39ab844d31f13011f022f

SHA256
9a1f5a83cabd63dc4db60d43250950299eed57a7f99e37d739792554396f473b

SHA512
0b3b8109f0b19cd7867f2a881867002a147bb570c6bcc3f1f0e88fd30d6878b3535f08d606e732e03f85ad09c3d2bbd4d0b556662fb2b937fc11f1354bd5194e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8F7F32A9DC0496BBAFFE222ADEC7B4B\A8F7F32A9DC0496BBAFFE222ADEC7B4B_LogFile.txt

Filesize
4KB

MD5
82e536160947a5f79ab430b6de9ec781

SHA1
b3ca822eba50110a59456d7cb9dab1152b0475b6

SHA256
daea69c9ada381e5d21447289a80db9d5f2d49ac90b38a2bea0ad3f6902c58fa

SHA512
2a1e5e84faec1e419837157c5c352a6ac8a2f8c55308e12eb4595d2d56b52d3cd25b5d98f2047eccc3fc7d7b01e772882e1933859e079fc55860fb39c8a68e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8F7F32A9DC0496BBAFFE222ADEC7B4B\A8F7F3~1.TXT

Filesize
26KB

MD5
f397320225f4c834c41c136f2c16538b

SHA1
cee1b68140614493fdc00f97afae4f80b94f6f15

SHA256
fcc81fb4028df6eb0236306537c35cef84c006d526d2a95f016b4b6e3e939af3

SHA512
4b301d3acb241158cfaf146843ffbf9360ea996d0e885591d17f2a744fb44e0a5cbf25a7b9c3b09564209a019932379b292d1c054e3a16d56a52370bb0d279ef

Download Submit
memory/1872-63-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

Filesize
4KB

Download
memory/1872-112-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

Filesize
4KB

Download