146ad4d060dda3fe2528f3c29b912544d44a13e5b617e24d1da3c868dda07ca0

Analysis

max time kernel
102s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 14:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c08951b88f5af3ab8be153fbf5ad15e0N.exe
Size

33KB
MD5

c08951b88f5af3ab8be153fbf5ad15e0
SHA1

8bc1bef8670a74a96050a0e7cc402b23a5f9c2c3
SHA256

146ad4d060dda3fe2528f3c29b912544d44a13e5b617e24d1da3c868dda07ca0
SHA512

65f3b9f5db86e1204628f0f5d9eb16301c45cdb3b004d47da25253c9d82e3a68de0ff875871d5c71de33313fb3ef4ef227c54e5a528a9480b8d51a5cb35d03a2
SSDEEP

96:5SRBLhbrluHnnwR2Us2CdAhxyeItLQHAnIccrLJ9x2FjlSRRg1NRevPhrFEMnjaI:5yBVfonwR215AyInTcOFvP8Ai/Dm5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	c08951b88f5af3ab8be153fbf5ad15e0N.exe

Executes dropped EXE 1 IoCs

pid	Process
1700	samhe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1700	2940	c08951b88f5af3ab8be153fbf5ad15e0N.exe	84
PID 2940 wrote to memory of 1700	2940	c08951b88f5af3ab8be153fbf5ad15e0N.exe	84
PID 2940 wrote to memory of 1700	2940	c08951b88f5af3ab8be153fbf5ad15e0N.exe	84

C:\Users\Admin\AppData\Local\Temp\c08951b88f5af3ab8be153fbf5ad15e0N.exe
"C:\Users\Admin\AppData\Local\Temp\c08951b88f5af3ab8be153fbf5ad15e0N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\samhe.exe
  "C:\Users\Admin\AppData\Local\Temp\samhe.exe"
  2⤵
  - Executes dropped EXE
  PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\samhe.exe

Filesize
33KB

MD5
7deb11f6328c262a0c594281765e1e86

SHA1
2d9e53dfac4288d9587b69979584170f14103968

SHA256
3e9d6ba18eb751970ecc857d89fd9304f80cd92f1581695043ae091addc0b28b

SHA512
3f3f6a95c1c7a56d60c31d270f55a32cd29ea23394289aab1ccad03815045d422ba2ef9942b17a632fac49896367bdb25fce730a0aaa1e15e912b08733d04ccc

Download Submit
memory/2940-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2940-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download