Analysis
-
max time kernel
105s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 07:14
Behavioral task
behavioral1
Sample
85c739a75f0bab15342d19de2b8420d0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
85c739a75f0bab15342d19de2b8420d0N.exe
Resource
win10v2004-20240709-en
General
-
Target
85c739a75f0bab15342d19de2b8420d0N.exe
-
Size
36KB
-
MD5
85c739a75f0bab15342d19de2b8420d0
-
SHA1
238993d4b5a6e687e2de92ad130bbe3948913129
-
SHA256
0113d751d6fae6c2bd30212658ced172a5196ba6e95d14dc653042292febef8c
-
SHA512
fded27abb8b218acff0d9c1fe3b73c743c3945a3d0ea5c29fa8f4116aea225a066f98ccd671103d94ce205569dfe2d52a375fa05567066ab433b9c7ac5ec5117
-
SSDEEP
768:Jmao9Gg4IZq1B6GnbcuyD7Uvu5RRYTnmeyZHJf0qW46DgGTrj9qWHx3SU:+Gg1c1QGnouy8vu5nYjmLJJcfpj9qWHE
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 806B.tmp -
Executes dropped EXE 1 IoCs
pid Process 2452 806B.tmp -
resource yara_rule behavioral2/memory/408-0-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/408-8-0x0000000000400000-0x0000000000418000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 408 wrote to memory of 2452 408 85c739a75f0bab15342d19de2b8420d0N.exe 84 PID 408 wrote to memory of 2452 408 85c739a75f0bab15342d19de2b8420d0N.exe 84 PID 408 wrote to memory of 2452 408 85c739a75f0bab15342d19de2b8420d0N.exe 84 PID 2452 wrote to memory of 3280 2452 806B.tmp 86 PID 2452 wrote to memory of 3280 2452 806B.tmp 86 PID 2452 wrote to memory of 3280 2452 806B.tmp 86 PID 2452 wrote to memory of 1516 2452 806B.tmp 95 PID 2452 wrote to memory of 1516 2452 806B.tmp 95 PID 2452 wrote to memory of 1516 2452 806B.tmp 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\85c739a75f0bab15342d19de2b8420d0N.exe"C:\Users\Admin\AppData\Local\Temp\85c739a75f0bab15342d19de2b8420d0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Local\Temp\806B.tmpC:\Users\Admin\AppData\Local\Temp\806B.tmp C:\Users\Admin\AppData\Local\Temp2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "3⤵PID:3280
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "3⤵PID:1516
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5c798b425570b6b375bee7a6898197e99
SHA1ac53c57da4bd29bf0595bc6458204d307ad6a2de
SHA2562cd3df9fd104d21ddfb298cb008410369ba0827d71f046f4d0abc0306ba34662
SHA5127c1c7ace9b777df5f937daba3f2e043044db75d767d2ca8999668cb0fb0c1a7c8e98d1af024e12b7243225f38a95040427764348ee58a23c63a2696398adf3e1
-
Filesize
191B
MD563224d4cf6405631b7bb89f67ab217a6
SHA1b958e549efffb0aca78e758f2e48544da9e55845
SHA2569105e418064105d75671f37341195c33feeb8ae9b45cffd949453ec27761b1ad
SHA512608d1a7478c974205fa6a5b54ac6eb29384203dd73e06417bf92048b63d5fbc76f706f5f88d1690264c7c9ac7021fb475ceacb0f5098a6bcd331e75bdd5cae96
-
Filesize
104B
MD58c30c36020cc244604f805ea3aae60db
SHA12dcb8659d56bbdb32b98d5b138d342a577919630
SHA256cc8e59ca43cf283fd57ac803b46526852e165da0b83c60d0f77266c67703c22d
SHA512e9bcc7ea6694bb920253b5a28e6d48d3c08dd6abf5bcca9b6d50181efe6b5e0be5e41475a92588caa5bff1dc7d019b29d32143390bc48dc5091707ad81c8c7c3
-
Filesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752