856be80198034f9fabda3f15e7c17e5bb51fa95b38e5d62f448e4ae59cd6d21c

Analysis

max time kernel
80s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.7MB
MD5

c4ca24ec91ced69fc98fac6fba21dc88
SHA1

b84f3a1ceef89673e31e0be210eb33d865d60659
SHA256

c690bea2115b2a16e23c845785772d14fdb978d32cb22bbbce83f53673eda821
SHA512

5783d1b8599d472039e9afca35590f76fe8930c73af4fa35fb796e819ca6d7219bd7ba1a0a6bcf3e8d76e9d873a078d74857a2318f8bbc3eca34c051a9ca4d41
SSDEEP

49152:27mrmYPoEHVGTWFkO4ITVpSuECY/vrM3rA3SuNM:Nm2Z12WFYFJ+

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1168	$_3_.exe
1168	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1168	$_3_.exe
1168	$_3_.exe
1168	$_3_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 1496	1168	$_3_.exe	90
PID 1168 wrote to memory of 1496	1168	$_3_.exe	90
PID 1168 wrote to memory of 1496	1168	$_3_.exe	90

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8044.bat" "C:\Users\Admin\AppData\Local\Temp\E5CD8FE835C54249A0A68B48771BA40A\""
  2⤵
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\$IO952QP

Filesize
98B

MD5
8a450cf61a4989eea236f07c354d786c

SHA1
3919076eb6edd33e9e0c95f350b84b7c987dfed2

SHA256
415fe55dc955e2520ea5d32fe425ab127bcac1995bc4909b6bf8b6b6a698420f

SHA512
9cf444e8c04cbf46f3147251009e26e62abbaef74446fe7cb7e5aae13f79851270b50e27dce1316c306262e1193ae95990df3d23ade7a172cb4718d5eeb0a57c

Download Submit
C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\$IRTF9E2

Filesize
96B

MD5
83ca98fb4433d65af512ba371a4b9800

SHA1
5a867b15dc3faf025c783c94a9c4dc66141b6dca

SHA256
89949ee94d18e5ce0d8b6fcc2d2ed88737759cc7ca9cc903114db8e3f158564f

SHA512
77b571c4813e653b470b69824012a7c7ffa9d40fd2955b2a3b89e296212cd86cb268c3080ab50410dfa283544c0450ff3011ddeca82724f5e6d052668a459483

Download Submit
C:\Users\Admin\AppData\Local\Temp\8044.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5CD8FE835C54249A0A68B48771BA40A\E5CD8FE835C54249A0A68B48771BA40A_LogFile.txt

Filesize
1KB

MD5
cba6ab02f06bb873e1ca7da236556715

SHA1
17ba295c9c4f2d22c83136950b8fa3743a17bfa0

SHA256
0aad87e04957d9c2f473970181e5ceb704fd95c1f674ea351705a61cf4ba6a26

SHA512
ae18dbfbd6a31ce3a27906dd8bc8aea021bf4f7993471e0a86179d1c13c45bf5dc33295838cce3aa85f0a892248bf66ce6f53f7b89b6abb5f98abb8819ad7dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5CD8FE835C54249A0A68B48771BA40A\E5CD8FE835C54249A0A68B48771BA40A_LogFile.txt

Filesize
2KB

MD5
83660cb8b897cfadb503519345d4924c

SHA1
fbd2c0d19b3a6418b34d18efce81adc70ba013a4

SHA256
626dd535f85e078232490d849c52697bd2566700c9721e80d0fa2c7fefc905dd

SHA512
e39cc49c5395b02710757dbe61e708745ca80869d9fe2fe9983f62feaeae189f07c0b9b4bd3f125128002820250f12cfdcfcbf16ce3fd9b147cd53c772ac1502

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5CD8FE835C54249A0A68B48771BA40A\E5CD8FE835C54249A0A68B48771BA40A_LogFile.txt

Filesize
3KB

MD5
5a7463263e8e179b012db865853958ea

SHA1
e08a7a38300f722c5de7b1cc715891539b016858

SHA256
6768e2bb5e61040664bfc90aeecc9acb2f8473121b9b2a7822f4bdfa082ae42e

SHA512
7bfc5e42d3741b394c154c775b9c9c70e0d82722186aeb3ebaaaf036675ee7acbf6e825440021ed8052f690e14eaa0fbaca50d9a68004a49cba29aacbdca4fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5CD8FE835C54249A0A68B48771BA40A\E5CD8FE835C54249A0A68B48771BA40A_LogFile.txt

Filesize
670B

MD5
35d695fabdaa56860aa137885c0b3d2e

SHA1
def8e4f06e793ba56850ab5d56458b458aad3ed0

SHA256
0d5c2e07d2e7be35755a4d33298c1bc989c061cf7182357b0e20e1937fa6c65a

SHA512
c14415dfb2c6e152e7a65f1c389c96c0c0231028bde09034b24dbe7e9f919b0b98d23bff003f9851d5f829e7bbd163ad088ce4a123687d607441813d9a6ab9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5CD8FE835C54249A0A68B48771BA40A\E5CD8FE835C54249A0A68B48771BA40A_LogFile.txt

Filesize
4KB

MD5
7bdb0a921a4adab7aad2754f6211d918

SHA1
359aae4c5921ab6461f6c259772c7e46d8f8c249

SHA256
a35e490d887936fe867296be598ef73f76d117b6108eb06ed6d9d18999061a6c

SHA512
8d68c6afaed62356886455d242758d2f91ecb6f6629cdda2eb6ec247810da302b7b429a0994a422df41aa9d1d62be268839ef8ea684559fd8c5a2052842c0267

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5CD8FE835C54249A0A68B48771BA40A\E5CD8F~1.TXT

Filesize
30KB

MD5
44e12c55e4c15108a91d15bf95200961

SHA1
da932e041414ea4dcbfc3ab1b53811f5b4482822

SHA256
384053abb51c1ceb839f56c1877b48b6834f03a28b681b3051d995aedda0833b

SHA512
aca6f0edbfaad40bbcf6b986e70612ba5bc64fb52deb884cd61c5006bb89bd775e0ba20b5996fe04d785083a83c94d4e755213b1c5743bcd7f6d932b3ea26a0b

Download Submit
memory/1168-65-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/1168-165-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download