bd9f52a17745641371b2bbe039c5710034823221ef0cf34ed1889a31352a4cdc

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1286eacee9851a3451b118d70403a890N.exe
Size

29KB
MD5

1286eacee9851a3451b118d70403a890
SHA1

35c38d790188a59a8772ebcfab745917b4b1223e
SHA256

bd9f52a17745641371b2bbe039c5710034823221ef0cf34ed1889a31352a4cdc
SHA512

f03aff8597edf0818b128c182a4c2aa9c06189ce7d52808f15b0e6c88a74d3cb955bb72517c3d4dd2050a1e677453f39edf39361db40e134d4b8f55cd66aac77
SSDEEP

384:AGNkzd6k6qeGOIuQt50yV3GQhn93MKguGikhscLIFxJEpAIgG4:A+6lS4N3GQP3XLBgwx6pAlG4

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	1286eacee9851a3451b118d70403a890N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	jkgfddk.exe

Executes dropped EXE 1 IoCs

pid	Process
428	jkgfddk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1286eacee9851a3451b118d70403a890N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jkgfddk.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 428	2372	1286eacee9851a3451b118d70403a890N.exe	90
PID 2372 wrote to memory of 428	2372	1286eacee9851a3451b118d70403a890N.exe	90
PID 2372 wrote to memory of 428	2372	1286eacee9851a3451b118d70403a890N.exe	90

C:\Users\Admin\AppData\Local\Temp\1286eacee9851a3451b118d70403a890N.exe
"C:\Users\Admin\AppData\Local\Temp\1286eacee9851a3451b118d70403a890N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\jkgfddk.exe
  "C:\Users\Admin\AppData\Local\Temp\jkgfddk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3000,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8
1⤵
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jkgfddk.exe

Filesize
29KB

MD5
f51fd7d72629e04d96b5828616478a81

SHA1
c11d782088730135b329c5f4728fa44af536445c

SHA256
e9c6b4e1d1272f2f5763b0b54e7071da296cdb331c92faaf017a40aaf41cea82

SHA512
415e19d27bbad071db869cf07f03e6f643b40dbb86e3525362d825dd8b9c7ca47db133b204a846d671de1bc11ae4a099b0af2a3fea85fd0a8d853506333bfbcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrtsdnn.exe

Filesize
1KB

MD5
e0a7dddad025212f4e8d7c9f3e3a3161

SHA1
44c10c10dc8267696f7c159a48310b20fcfaa088

SHA256
61874852b0e1cb859fd2d5deeb7e845e68e1da055b6145120c00cf323f3572fe

SHA512
fb5e5ff995bbe83925e6d02c5d7c4fc53c5d703b19d1fd78d1784e2c91ed177c54f04d100c0bebe09f549dd83975a201b89feba6379317e08c99a3732a325870

Download Submit
memory/428-21-0x0000000002050000-0x0000000002057000-memory.dmp

Filesize
28KB

Download
memory/2372-0-0x00000000005A0000-0x00000000005A7000-memory.dmp

Filesize
28KB

Download
memory/2372-1-0x00000000005A0000-0x00000000005A7000-memory.dmp

Filesize
28KB

Download
memory/2372-2-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download