2311cc68e0895726eae90fac4335bb509ae99700392535607a6c32808dfb168e

Analysis

max time kernel
92s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2311cc68e0895726eae90fac4335bb509ae99700392535607a6c32808dfb168e.exe
Size

26KB
MD5

1acb712035566ff78dacfb8754bb47db
SHA1

cc1c8c68485dc3de3ffb0bf16d1c9a6257015529
SHA256

2311cc68e0895726eae90fac4335bb509ae99700392535607a6c32808dfb168e
SHA512

0d02a88363405eb413030770f17221d10041af63fc8a1864e7146e2325c29fb46fcb15482ffb9c011e75df38283e57ab53891f4206cfba972b6a11777382c95a
SSDEEP

384:T4yJGYp9M7R7U+is4WSE/Fs1iAyEudnDwi6X:EYG8ye+isOEdsWfdDFS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	2311cc68e0895726eae90fac4335bb509ae99700392535607a6c32808dfb168e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	quip.exe

Executes dropped EXE 1 IoCs

pid	Process
4200	quip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 4200	1408	2311cc68e0895726eae90fac4335bb509ae99700392535607a6c32808dfb168e.exe	84
PID 1408 wrote to memory of 4200	1408	2311cc68e0895726eae90fac4335bb509ae99700392535607a6c32808dfb168e.exe	84
PID 1408 wrote to memory of 4200	1408	2311cc68e0895726eae90fac4335bb509ae99700392535607a6c32808dfb168e.exe	84

C:\Users\Admin\AppData\Local\Temp\2311cc68e0895726eae90fac4335bb509ae99700392535607a6c32808dfb168e.exe
"C:\Users\Admin\AppData\Local\Temp\2311cc68e0895726eae90fac4335bb509ae99700392535607a6c32808dfb168e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\quip.exe
  "C:\Users\Admin\AppData\Local\Temp\quip.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\quip.exe

Filesize
26KB

MD5
e99c442e817e11a329f94043b6f6f91a

SHA1
1c1cadcdcb67314fe6e732197266af64ab8a46b6

SHA256
130f92581ffa24b1d3c6f4ebdaaae102ded2910eaa6d81243cd2f5658446c333

SHA512
4858967eff25db5fdc3225bf7471c8e5210cdfc5e087c3bd7c413015b41511bd8611436fb3815a623a055684857d1c575adb6ab0c749d232bcea60dc9171b832

Download Submit
C:\Users\Admin\AppData\Local\Temp\wipet.exe

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
memory/1408-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1408-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download