be92f101422bcc55019670544cc3d4566dfbba135de21be2b1889919f4f8a4c2

Analysis

max time kernel
95s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95d595d85a304ba222698d72a3865050N.exe
Size

45KB
MD5

95d595d85a304ba222698d72a3865050
SHA1

1326bf4ec1450817443c45853a2ef9aa65c8b263
SHA256

be92f101422bcc55019670544cc3d4566dfbba135de21be2b1889919f4f8a4c2
SHA512

45cb09fccde450904b017332a725caff197b1da684e020b860c49ba695175fe4612551a5541267da9ae6b50683c020d1601ab2c847c94738384979b6d0df1ef2
SSDEEP

768:CnnOWEvtPvkFk58sCu84euZR5FbrGePc/3FttKAeiX+:CnOtvtPf58k8GtBSXtKAL+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	95d595d85a304ba222698d72a3865050N.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	pdflauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 2256	240	95d595d85a304ba222698d72a3865050N.exe	85
PID 240 wrote to memory of 2256	240	95d595d85a304ba222698d72a3865050N.exe	85
PID 240 wrote to memory of 2256	240	95d595d85a304ba222698d72a3865050N.exe	85

C:\Users\Admin\AppData\Local\Temp\95d595d85a304ba222698d72a3865050N.exe
"C:\Users\Admin\AppData\Local\Temp\95d595d85a304ba222698d72a3865050N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:240
- C:\Users\Admin\AppData\Local\Temp\pdflauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\pdflauncher.exe"
  2⤵
  - Executes dropped EXE
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pdflauncher.exe

Filesize
45KB

MD5
204e56ca02a96f6b4b44cadd39929ef7

SHA1
758c436f192ddf218d4c590345b44eb45be280ef

SHA256
c3de7a3608f85dd4d3992fef0868d02fc61df1759b5715de36008f1315b817d3

SHA512
b2aeb33551d810321efddfd3e265c3817dabadfeca7314126b79236894670b6d226177cb112824b082b6b988d4b2be7ca2acbf3c70cd4ee1a77953f17fae5d84

Download Submit
memory/240-0-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/240-1-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/240-3-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/2256-12-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download