ab959766decb7ceb0eeec70525122ee221e05d8bcc2d8e5729958f48534eacd8

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b884c1fc7ba28f34a33e7066ca0851a0N.exe
Size

8KB
MD5

b884c1fc7ba28f34a33e7066ca0851a0
SHA1

0faed482170d86ddaef1e1de1272be326b27aebb
SHA256

ab959766decb7ceb0eeec70525122ee221e05d8bcc2d8e5729958f48534eacd8
SHA512

2e7cb9c96d9458ed371a61cbe41ba156ebf95133c1ff59cb8e1a89b589d53d857b635a25048292af0ffbd194620387ec09231756c428dc69a268305627e6386c
SSDEEP

192:nrcR+j9XQAhDxPJL8wmMkXfE94lYp+dV/R:r1XQID4hMCE9qYp+dV/R

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	b884c1fc7ba28f34a33e7066ca0851a0N.exe

Executes dropped EXE 1 IoCs

pid	Process
4196	wujek.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 4196	3400	b884c1fc7ba28f34a33e7066ca0851a0N.exe	85
PID 3400 wrote to memory of 4196	3400	b884c1fc7ba28f34a33e7066ca0851a0N.exe	85
PID 3400 wrote to memory of 4196	3400	b884c1fc7ba28f34a33e7066ca0851a0N.exe	85

C:\Users\Admin\AppData\Local\Temp\b884c1fc7ba28f34a33e7066ca0851a0N.exe
"C:\Users\Admin\AppData\Local\Temp\b884c1fc7ba28f34a33e7066ca0851a0N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Users\Admin\AppData\Local\Temp\wujek.exe
  "C:\Users\Admin\AppData\Local\Temp\wujek.exe"
  2⤵
  - Executes dropped EXE
  PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wujek.exe

Filesize
9KB

MD5
3c6c96acf7240c4d8a36ca71506726cd

SHA1
200fd1df6b9ed7b68bbe6a5bc3ee547b6879e619

SHA256
b25c7f5fca50249136f435b43c49c5b538f5e2f989cdaab0597fcd0dd4dc37d1

SHA512
0b15022e1f664926815fafb532b8fd7e7efce0015cff8d027a523543e78d6a128ccd041e765a96687eee1cbfee5bfb5031f546089d6ad7979f8fbbcbfc5d1b0e

Download Submit
memory/3400-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3400-1-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/3400-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4196-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download