b103827df422104e89b003c174c8442c879879b7ef886c943a3306b11f8d116f

Analysis

max time kernel
103s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

696dc28f0674f41742355b3f2e167270N.exe
Size

39KB
MD5

696dc28f0674f41742355b3f2e167270
SHA1

8328d1843601bb6e4d44c70c7e156bd90f00913d
SHA256

b103827df422104e89b003c174c8442c879879b7ef886c943a3306b11f8d116f
SHA512

e544a7073a4df03b128c968d604f38774f67020a7f3921cf377ff4b3e5f2fdd05c9ccc5c3a764651480801d4eb4191a8f2eb3e2e58716bf9381d74cad4019971
SSDEEP

192:jEdMPnwR2bCL8KktnAs7lp1FHif+SjInE6rNr5TdWooAeXR/V49d444UefDSwpIX:jFPnwR2Ca1lpvH6dMtRe5/J0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	696dc28f0674f41742355b3f2e167270N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	gert.exe

Executes dropped EXE 1 IoCs

pid	Process
1660	gert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1660	2904	696dc28f0674f41742355b3f2e167270N.exe	87
PID 2904 wrote to memory of 1660	2904	696dc28f0674f41742355b3f2e167270N.exe	87
PID 2904 wrote to memory of 1660	2904	696dc28f0674f41742355b3f2e167270N.exe	87

C:\Users\Admin\AppData\Local\Temp\696dc28f0674f41742355b3f2e167270N.exe
"C:\Users\Admin\AppData\Local\Temp\696dc28f0674f41742355b3f2e167270N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\gert.exe
  "C:\Users\Admin\AppData\Local\Temp\gert.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gert.exe

Filesize
39KB

MD5
e6d545d3fec7aa2ed39ad316e42e6950

SHA1
d09bbf30046083494d89c079f8ead2337afbc2d1

SHA256
40695e976d5185428f901f1aecaedc2387fa00d44d3432dd62b357c60146400d

SHA512
f769ef77ecbdd82f38739a1b8265534f6fff54e859d67a96e62038b95546953ef6c1a9c8536d442f153efe5af3957395b89b429b448db308c9bc5f83139cbc5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wekol.exe

Filesize
4KB

MD5
b649bb4bbcec6444434d2df7501effb6

SHA1
f8a04ac654e2234fa2644abf8e293d02bc01c8fd

SHA256
c2779250c7e25bb12281a890f3ec61c3585c5bbad82fbbb55a3068191004fc4a

SHA512
7265c870e9d51cd6f4936860ec4443ae21754634997be1294bd17c8cbe0c23dba56e730bcacecfa73f5b305fbefaf5b75e2747dfd3cd83cfe6b416ac8cc7ecf2

Download Submit