1ba4002a9bf34dbecf87ac3b9c5d3420c8b55e09a842b00801440bae0a218a08

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b5544cbf3ec43f21f7f55882806b850N.exe
Size

761KB
MD5

0b5544cbf3ec43f21f7f55882806b850
SHA1

ed59c785a96bf9f8dec81227e59d422ed94c0314
SHA256

1ba4002a9bf34dbecf87ac3b9c5d3420c8b55e09a842b00801440bae0a218a08
SHA512

f8c05f0c21d97cee2eea6c1bed64ed06271e86d399dd739a764e357fecac20d7b20fafe6271c31080bd8257478564ac90323809c754fe9c4f063d1178e4c75a5
SSDEEP

12288:w5hAPjVQDNwwkBr/kS6jtmw1Bp3FkKwE31iV74uDqXYDvL:wgq2wkp4BmuFKE1c4MnDv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	0b5544cbf3ec43f21f7f55882806b850N.exe

Executes dropped EXE 2 IoCs

pid	Process
4784	zikumiv.exe
940	~DFA265.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	~DFA265.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 4784	1596	0b5544cbf3ec43f21f7f55882806b850N.exe	85
PID 1596 wrote to memory of 4784	1596	0b5544cbf3ec43f21f7f55882806b850N.exe	85
PID 1596 wrote to memory of 4784	1596	0b5544cbf3ec43f21f7f55882806b850N.exe	85
PID 4784 wrote to memory of 940	4784	zikumiv.exe	87
PID 4784 wrote to memory of 940	4784	zikumiv.exe	87
PID 4784 wrote to memory of 940	4784	zikumiv.exe	87

C:\Users\Admin\AppData\Local\Temp\0b5544cbf3ec43f21f7f55882806b850N.exe
"C:\Users\Admin\AppData\Local\Temp\0b5544cbf3ec43f21f7f55882806b850N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\zikumiv.exe
  C:\Users\Admin\AppData\Local\Temp\zikumiv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\~DFA265.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA265.tmp OK
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
6044746b66624b75768fef0ceab788ba

SHA1
4059039957b478b8e037dab2ddfdeb84235f0168

SHA256
2c204347a93f5e349d018ae3374ae56d79413114541654240d52d2563e5e35fd

SHA512
478b91b6cc77e579259eb049a7c2a5f8a610329bf231d350fdf3cbad3996ea26f5316e32c05e3fc0420859fa96de4d4995a386fad513c6a94bf82035f40a8ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zikumiv.exe

Filesize
765KB

MD5
336ec553202fe98366e2ecbf13e76383

SHA1
53f51961f0c25e24ace2572b8cb5513eded16e43

SHA256
40fabb07ba002ca0f4ce467f2d00b8ee1c3af4e0c95862852b1b24f10436fbcb

SHA512
7a184abdfb51f80d82b1902a5a674bbfd79a2cdec243fb389705caf5feac283798353a81a7c7ea45093c9e73ecf12bbefd29c06402e0c9e30fa1c77a6c03514b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA265.tmp

Filesize
768KB

MD5
1d3378136fe1b1bcbe7376da9d13e906

SHA1
0208ddbc8404e5be81cfbd42c841262e58a30ab3

SHA256
def1bb9f956c2b07bfe4c5323c357045c8920407c47f25166569a5bc0a1d10ae

SHA512
4c20f1ea59b48e088446b43f2e50559a9f0ea45023f3465a29f8d0dd278d8571f9ff29f6e5a05b22d6f0260f53bc75fc8338a1cb03795ec99c571988a2826042

Download Submit
memory/940-15-0x00000000009E0000-0x0000000000AB1000-memory.dmp

Filesize
836KB

Download
memory/940-21-0x00000000009E0000-0x0000000000AB1000-memory.dmp

Filesize
836KB

Download
memory/940-26-0x00000000009E0000-0x0000000000AB1000-memory.dmp

Filesize
836KB

Download
memory/1596-0-0x00000000007E0000-0x00000000008B1000-memory.dmp

Filesize
836KB

Download
memory/1596-18-0x00000000007E0000-0x00000000008B1000-memory.dmp

Filesize
836KB

Download
memory/4784-9-0x0000000000380000-0x0000000000451000-memory.dmp

Filesize
836KB

Download
memory/4784-20-0x0000000000380000-0x0000000000451000-memory.dmp

Filesize
836KB

Download