4783cc4e22eef45fc31fcc1332f313c2a57009535c91950971e15156451949ec

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

404679004.malware.exe
Size

95KB
MD5

df5d52cb49235432803429183954a5e6
SHA1

b21c1e7f31682e2a44785df44932433bf7b28d24
SHA256

d0bc81afbae5955ed2bb6ff4897578719e9fd6089a05be7f6f0114ac5c46c0d0
SHA512

d93238a30398a7edb18ef087d56e7e44f817dad4d1004d1b17cc9e42a85abc19258a6ec13e3d17203063c9b5a0cf26ed63ba34012016142149033459ee475a75
SSDEEP

1536:DYBc/lkd8Kbw3YAxkIscK0XiE2676P3lJHnxTbsTFIy:DYBylkrUlsc5Xi2GHxkTFIy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	404679004.malware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 3660	1232	404679004.malware.exe	86
PID 1232 wrote to memory of 3660	1232	404679004.malware.exe	86
PID 1232 wrote to memory of 3660	1232	404679004.malware.exe	86

C:\Users\Admin\AppData\Local\Temp\404679004.malware.exe
"C:\Users\Admin\AppData\Local\Temp\404679004.malware.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Blv..bat" > nul 2> nul
  2⤵
  PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Blv..bat

Filesize
180B

MD5
b19f6f0928a528ff8a2e7a56e4b5f313

SHA1
3a66fda55eb7d9ea7252a4d518dec3335ed66038

SHA256
b47ec8f3d2f633fc80a0045054cc04efe465324755aabd7e0dc8f1659434216c

SHA512
a3e0d2d77f5e1d8c9afa0e54df654d0e54660949787ddf0f20140a97b4f9af9d0891fa4f267335a6dc1a715ac275596da336e3f3ed37fec01c80d009d8e22139

Download Submit
memory/1232-1-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1232-0-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/1232-2-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1232-4-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1232-6-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1232-5-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1232-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download