2e1226c056bce2f6f31d251850d4ae473b955a04c33334dbed53d5b5d5b97077

Analysis

max time kernel
131s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d8a371542e76a1d5a2a4b0181b0a749.exe
Size

612KB
MD5

1d8a371542e76a1d5a2a4b0181b0a749
SHA1

cca5dd45fe5d32656f9d69cfb8a81f1345ed0cbf
SHA256

2e1226c056bce2f6f31d251850d4ae473b955a04c33334dbed53d5b5d5b97077
SHA512

5e8b106356203a7978e85024a3e7125f065800531e2b4959aa9599b8d4e80723a6016efba64aab347fede19c597fa57e0b764e0677d779b38cc0eb36503c9ecd
SSDEEP

6144:rVOI+hyG9B5liEKDY/+n7yHVoJi6l71y4SAcZsZ79wL20H3hBcPCB51JZDEjKk:Z6Xl8M/+n7YOJdRqat9wLNAPCBHDa

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	214.exe

Executes dropped EXE 1 IoCs

pid	Process
4272	214.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\214.exe	1d8a371542e76a1d5a2a4b0181b0a749.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FDEB171-8F86-0004-0001-69B8DB553683}\InProcServer32\ = "C:\\boot\\zh-jg\\jgmxd7.dll"	214.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FDEB171-8F86-0004-0001-69B8DB553683}\InProcServer32\ThreadingModel = "Apartment"	214.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FDEB171-8F86-0004-0001-69B8DB553683}	214.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FDEB171-8F86-0004-0001-69B8DB553683}\	214.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FDEB171-8F86-0004-0001-69B8DB553683}\InProcServer32	214.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1372	1d8a371542e76a1d5a2a4b0181b0a749.exe
1372	1d8a371542e76a1d5a2a4b0181b0a749.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 4272	1372	1d8a371542e76a1d5a2a4b0181b0a749.exe	90
PID 1372 wrote to memory of 4272	1372	1d8a371542e76a1d5a2a4b0181b0a749.exe	90
PID 1372 wrote to memory of 4272	1372	1d8a371542e76a1d5a2a4b0181b0a749.exe	90
PID 4272 wrote to memory of 5024	4272	214.exe	93
PID 4272 wrote to memory of 5024	4272	214.exe	93
PID 4272 wrote to memory of 1292	4272	214.exe	94
PID 4272 wrote to memory of 1292	4272	214.exe	94
PID 4272 wrote to memory of 1292	4272	214.exe	94

C:\Users\Admin\AppData\Local\Temp\1d8a371542e76a1d5a2a4b0181b0a749.exe
"C:\Users\Admin\AppData\Local\Temp\1d8a371542e76a1d5a2a4b0181b0a749.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Program Files\214.exe
  "C:\Program Files\214.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Modifies registry class
    PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\aa.bat
    3⤵
    PID:1292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4104,i,1400471177590024469,587385956640537806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\214.exe

Filesize
31KB

MD5
f9ba792d47d3eeb990e6e4e2550802ac

SHA1
1e2664f5d550878d5cb4a036dffbb96b675075d1

SHA256
0a980fe3b4d644b2aa259b1d8ec5c0de569fecd1529d65004a666d0b213341b1

SHA512
c01def955497ac2f1d487952860d2ddcb5a4707977394f216aa2299308a956ef9033ff828abe8fd5bb892636c427df5a73bd8c6fde68d7bfde45c3f68f88c902

Download Submit
\??\c:\aa.bat

Filesize
40B

MD5
970202094c6fe2897a1fdde9416d81e7

SHA1
5ed5c1ab87c339890725577e57199a6addaacd9f

SHA256
5eb048f7d8bdf686c62be8abba2e6bca977959988093e2a51816d7d977e93993

SHA512
b733eea5683ad79f4d72191dabc63a36b8da8e5b74cdaaaf43d952156eca8a14fdb4524c1350dd454d26845c86182a903999dd835f51fcfc787d5ef85e61a9a8

Download Submit
memory/4272-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4272-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download