4ef2a415f239c72f33a78aa4ca829c6e074f00e17872967947418e30b3a4df14

Analysis

max time kernel
120s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a369deef834e5fb06b03c29dce6bd70N.exe
Size

42KB
MD5

9a369deef834e5fb06b03c29dce6bd70
SHA1

a976ed2a1f25bdf38ea93995f0026753fed690c3
SHA256

4ef2a415f239c72f33a78aa4ca829c6e074f00e17872967947418e30b3a4df14
SHA512

8cb918130d8baf4df083263e71195003c15dd327cae671151281f982c3fe3440448c66f7ca30cd2f129782df7b6d375471fca1f8de1bb0794424ff97a0a263af
SSDEEP

768:dYGtdtFR6M13vfdHldhwyEr+OGa0aEYS1y9YaPQy:GIUM13vfdHldhwt+OGa01oiaPQy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	9a369deef834e5fb06b03c29dce6bd70N.exe

Executes dropped EXE 1 IoCs

pid	Process
4396	updGA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4396	5028	9a369deef834e5fb06b03c29dce6bd70N.exe	85
PID 5028 wrote to memory of 4396	5028	9a369deef834e5fb06b03c29dce6bd70N.exe	85
PID 5028 wrote to memory of 4396	5028	9a369deef834e5fb06b03c29dce6bd70N.exe	85

C:\Users\Admin\AppData\Local\Temp\9a369deef834e5fb06b03c29dce6bd70N.exe
"C:\Users\Admin\AppData\Local\Temp\9a369deef834e5fb06b03c29dce6bd70N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\updGA.exe
  "C:\Users\Admin\AppData\Local\Temp\updGA.exe"
  2⤵
  - Executes dropped EXE
  PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\updGA.exe

Filesize
42KB

MD5
96c7f788b7fe10e5e7a5a7037ffc10a2

SHA1
f2a1568fc3218fb3b9667abb813254b4ab9ae7b1

SHA256
a2407e5984f394ffb3a787f19389d7ceb6c3e4280c0605fd3cabb3cba78ec1a8

SHA512
9037bcd7f038a0faa5c7ff9393b80cc312efc23231484fa4c44827567a19cb3fbecd92c99240ae5ab50d1754b637e1c5432323c692f9364f8eb590779cd08a3d

Download Submit
memory/4396-24-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4396-25-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4396-29-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4396-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5028-0-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5028-1-0x0000000002150000-0x000000000215A000-memory.dmp

Filesize
40KB

Download
memory/5028-7-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download