ab630c50d0a7881571a296b38355a0eb3d62b17875cfaa8925c663f0fd3ab493

Analysis

max time kernel
111s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 10:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9d121e2df65d070b18fe030e05bb22c0N.exe
Size

22KB
MD5

9d121e2df65d070b18fe030e05bb22c0
SHA1

e398eb1b7ad9fa0de68145e25d43ea01d72db5a8
SHA256

ab630c50d0a7881571a296b38355a0eb3d62b17875cfaa8925c663f0fd3ab493
SHA512

31ee55f2e72766c726e72842c4a6c0b4a77c9733499c1ff68d1b97c53282c08f259f90fc5fb6f829caee74c2a818f8f3f83cccb9e0e4aa2d65714156ab08c518
SSDEEP

384:F3EqGY2HXgrS40Lol5ZLzH4VhvshYpATUgch1A9NB/erxUkr:F3EqG5H8PuoljH4vEhkgs1lxj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	9d121e2df65d070b18fe030e05bb22c0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2520	winupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 2520	244	9d121e2df65d070b18fe030e05bb22c0N.exe	84
PID 244 wrote to memory of 2520	244	9d121e2df65d070b18fe030e05bb22c0N.exe	84
PID 244 wrote to memory of 2520	244	9d121e2df65d070b18fe030e05bb22c0N.exe	84

C:\Users\Admin\AppData\Local\Temp\9d121e2df65d070b18fe030e05bb22c0N.exe
"C:\Users\Admin\AppData\Local\Temp\9d121e2df65d070b18fe030e05bb22c0N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:244
- C:\Users\Admin\AppData\Local\Temp\winupdate.exe
  "C:\Users\Admin\AppData\Local\Temp\winupdate.exe"
  2⤵
  - Executes dropped EXE
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winupdate.exe

Filesize
22KB

MD5
bceb59d15fcb30a74c93d38bcefa1fff

SHA1
cb922d3d9346b8f2c107744646b76ca8f058bd57

SHA256
5838e84ebdbf2298268b43a9f86b3667ba5977be7e0736dc8e47427266f05716

SHA512
8f5e3982fb78e4564350d285bacd6b18c998927ffb99c3966d926d4f32ea553029994746e1285d0e8460fb05c3045a3075f70fefa88a4f0a50c80e9f27276cff

Download Submit
memory/244-0-0x0000000000500000-0x0000000000511000-memory.dmp

Filesize
68KB

Download
memory/244-1-0x000000000050D000-0x000000000050E000-memory.dmp

Filesize
4KB

Download
memory/244-2-0x0000000000500000-0x0000000000511000-memory.dmp

Filesize
68KB

Download
memory/2520-12-0x0000000000500000-0x0000000000511000-memory.dmp

Filesize
68KB

Download
memory/2520-13-0x0000000000500000-0x0000000000511000-memory.dmp

Filesize
68KB

Download