7e55c666ef95c4a54d4d0743e8d3a3d8ad044da6c6e6bb55c68c35f7fec7c182

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

030d1ada12ba3400ccffbdf60064d0b0N.exe
Size

60KB
MD5

030d1ada12ba3400ccffbdf60064d0b0
SHA1

ae04549e9a623e4a8e810c2b7379fed5e6aebf47
SHA256

7e55c666ef95c4a54d4d0743e8d3a3d8ad044da6c6e6bb55c68c35f7fec7c182
SHA512

91031e36f0fbbc0d77b9a41fd014100b0ed11f04d352815fbb7545431a88bd1d990ebdd497083f9c5b075789b8e69929610b2019349c655a7d6326d36da5aa11
SSDEEP

768:szM/e9xPnxrdAakEfzQsEkejRLXmIdgssROTrj2J:3/Q5xmGXEkejRLXmIdYRd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	030d1ada12ba3400ccffbdf60064d0b0N.exe

Executes dropped EXE 1 IoCs

pid	Process
672	pwhxl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 672	4036	030d1ada12ba3400ccffbdf60064d0b0N.exe	85
PID 4036 wrote to memory of 672	4036	030d1ada12ba3400ccffbdf60064d0b0N.exe	85
PID 4036 wrote to memory of 672	4036	030d1ada12ba3400ccffbdf60064d0b0N.exe	85

C:\Users\Admin\AppData\Local\Temp\030d1ada12ba3400ccffbdf60064d0b0N.exe
"C:\Users\Admin\AppData\Local\Temp\030d1ada12ba3400ccffbdf60064d0b0N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Local\Temp\pwhxl.exe
  "C:\Users\Admin\AppData\Local\Temp\pwhxl.exe"
  2⤵
  - Executes dropped EXE
  PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pwhxl.exe

Filesize
60KB

MD5
897b8678379adda997b0e83d30a438a0

SHA1
6072201ce492c15b397b2235f9b6a2e8bb6d9bcb

SHA256
4e5c9f4ee1ba61ebdf9997f171881dcefa87eb31d2fb2873fbc6ec820eaeed57

SHA512
21391589a78daaf6b90f93ab5d48d04e3e23c8074ce1081de032588210e7c7bd31393d93e8cef65ca6befc9c47e9b0aa510ecf5fcebe9cb5639f3d4d5ce67ba5

Download Submit