db1e3b9f03008745a59ff36d6da30bcc5dc496aed12b65909632d142c4357359

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b440b25022aa6cf85f5503c230c0099.exe
Size

128.5MB
MD5

3b440b25022aa6cf85f5503c230c0099
SHA1

6783368217b6b56941b80085047ded5fb06177af
SHA256

db1e3b9f03008745a59ff36d6da30bcc5dc496aed12b65909632d142c4357359
SHA512

a37b27ecd8a555e5673dd3b012a5b260253b40c0e90d4cbe88d138e8c59e7d6f23b8e336b4442f7b8b57ab9a69e61cde5dea531b64eac525e31d124f269ec352
SSDEEP

3145728:a5+ShtbCnbLEN4Mfvl6qJ1WE7oswHiEzCsLRURS:aVp6qJUliEzhLRUQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	3b440b25022aa6cf85f5503c230c0099.tmp

Executes dropped EXE 1 IoCs

pid	Process
1804	3b440b25022aa6cf85f5503c230c0099.tmp

Loads dropped DLL 1 IoCs

pid	Process
1804	3b440b25022aa6cf85f5503c230c0099.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3972	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3972	tasklist.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 1804	4368	3b440b25022aa6cf85f5503c230c0099.exe	81
PID 4368 wrote to memory of 1804	4368	3b440b25022aa6cf85f5503c230c0099.exe	81
PID 4368 wrote to memory of 1804	4368	3b440b25022aa6cf85f5503c230c0099.exe	81
PID 1804 wrote to memory of 2456	1804	3b440b25022aa6cf85f5503c230c0099.tmp	82
PID 1804 wrote to memory of 2456	1804	3b440b25022aa6cf85f5503c230c0099.tmp	82
PID 1804 wrote to memory of 2456	1804	3b440b25022aa6cf85f5503c230c0099.tmp	82
PID 2456 wrote to memory of 3972	2456	cmd.exe	84
PID 2456 wrote to memory of 3972	2456	cmd.exe	84
PID 2456 wrote to memory of 3972	2456	cmd.exe	84
PID 2456 wrote to memory of 1352	2456	cmd.exe	85
PID 2456 wrote to memory of 1352	2456	cmd.exe	85
PID 2456 wrote to memory of 1352	2456	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\3b440b25022aa6cf85f5503c230c0099.exe
"C:\Users\Admin\AppData\Local\Temp\3b440b25022aa6cf85f5503c230c0099.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Local\Temp\is-STOCF.tmp\3b440b25022aa6cf85f5503c230c0099.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-STOCF.tmp\3b440b25022aa6cf85f5503c230c0099.tmp" /SL5="$501E8,133704293,1157120,C:\Users\Admin\AppData\Local\Temp\3b440b25022aa6cf85f5503c230c0099.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c tasklist /nh|find /c /i "FileWatcher.exe" > "C:\Users\Admin\AppData\Local\Temp\findSoftRes.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /nh
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3972
  - - C:\Windows\SysWOW64\find.exe
      find /c /i "FileWatcher.exe"
      4⤵
      PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\findSoftRes.txt

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G5L7J.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-STOCF.tmp\3b440b25022aa6cf85f5503c230c0099.tmp

Filesize
3.3MB

MD5
c6654bb92522673222b03a06ea14a659

SHA1
f9ee3c84bbcb5279eb2d9cdab34757f41e50e604

SHA256
ace803081126f1c85568f039b43458f95799c85fe1052994a0b2815896677da8

SHA512
5a02490ad98ada7e0d8f6607408c6a2c0b2bbe3468cc8a95f373d014af5cb1d7bd53aa654d03f5771d00dee96f522b451498f59c5b4cf11206e436bc888a57dc

Download Submit
memory/1804-6-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/1804-14-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/4368-0-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/4368-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4368-13-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download