7f74b2c86e9f5706fc44c8d5093a027d1cd5856006aa80f270efae26d55c9131

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 04:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4c3049f8e220c2264692cb192b741a30N.exe
Size

898KB
MD5

4c3049f8e220c2264692cb192b741a30
SHA1

46c735f574daaa3e6605ef4c54c8189f5722ff2a
SHA256

7f74b2c86e9f5706fc44c8d5093a027d1cd5856006aa80f270efae26d55c9131
SHA512

b13dc855c3c06b56aa9bf181680b69003839adeaf16c5372912004a7bf42882e340c445c58e24e083692b4dcbb15c3e0cf244664458ccdd0dd7668b440277e0a
SSDEEP

24576:juDXTIGaPhEYzUzA0aVuDXTIGaPhEYzUzA0bZB:KDjlabwz9jDjlabwz9dB

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	4c3049f8e220c2264692cb192b741a30N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	clamer.exe

Executes dropped EXE 3 IoCs

pid	Process
2860	clamer.exe
4528	thkdh.exe
3608	dcceopi.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	thkdh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	thkdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcceopi.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 872	4756	4c3049f8e220c2264692cb192b741a30N.exe	81
PID 4756 wrote to memory of 872	4756	4c3049f8e220c2264692cb192b741a30N.exe	81
PID 872 wrote to memory of 2860	872	cmd.exe	85
PID 872 wrote to memory of 2860	872	cmd.exe	85
PID 2860 wrote to memory of 4528	2860	clamer.exe	87
PID 2860 wrote to memory of 4528	2860	clamer.exe	87
PID 2860 wrote to memory of 4528	2860	clamer.exe	87

C:\Users\Admin\AppData\Local\Temp\4c3049f8e220c2264692cb192b741a30N.exe
"C:\Users\Admin\AppData\Local\Temp\4c3049f8e220c2264692cb192b741a30N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
    clamer.exe -priverdD
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4528

C:\ProgramData\hnufq\dcceopi.exe
C:\ProgramData\hnufq\dcceopi.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
37B

MD5
28151380c82f5de81c1323171201e013

SHA1
ae515d813ba2b17c8c5ebdae196663dc81c26d3c

SHA256
bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d

SHA512
46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe

Filesize
453KB

MD5
fb30b403c1fa1d57fb65dc8b8e00e75c

SHA1
161cf9d271aee2d7d2f7a0a5d0001830929c300b

SHA256
83d9579e6b71561a9dafbdd309b4dbfaddf816c7ccc25e4672c8d9dfb14b6673

SHA512
d0d15e51527bcfad38c01c46b4c43257407ead9c328bc4d48d21c9702c16872e52509e014444e78cd22f1ad96c11a88d281c2a745df0a4ca21243352f879de85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe

Filesize
16KB

MD5
e7d405eec8052898f4d2b0440a6b72c9

SHA1
58cf7bfcec81faf744682f9479b905feed8e6e68

SHA256
b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2

SHA512
324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
238B

MD5
c86dbf5f45df4891c2ac8b0ca51a0d03

SHA1
c289eab3ec1c2b8fae8044926415f2293f282c6a

SHA256
d01d733d3ce4ba73390f150dfbf5be35ec63db15901aa99c07da77384a9bcaa8

SHA512
eaad352d86e27ba0bf2dd4f2c0fadbd570ff598b2c32a672c294a81ccefdd0c25c07b7e2ab24a5de0ecf3810b945329c17b074f77243347d216ace905eb5a113

Download Submit