Analysis

  • max time kernel
    96s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2024 15:02

General

  • Target

    a389f5ee8285c796777a25099d3cc3a0N.exe

  • Size

    47KB

  • MD5

    a389f5ee8285c796777a25099d3cc3a0

  • SHA1

    c6ce52bc53753a8bfab6fee9fee724d05f8d5ff6

  • SHA256

    47a1e2086a632d071fcf2fa109fbc228747c21dd99097413a2ba42d02e5c20c6

  • SHA512

    15bbeba0e1dbdcdee66ed5cd3c75ac6438f6c2d05a6512f510f389ba551a5b70850e3be2fc8815c22b85e694be101960b6479b37a84d86f8ea62f7965e610a79

  • SSDEEP

    192:GrITdb2X2VFmfjNIGmMTPUEN7jIZSnDJLVwqnkqU/CDola0e9JzDaU0FiBs:yIT4BjKGmMztNvIZSD/wHqUWolEDCUKt

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a389f5ee8285c796777a25099d3cc3a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\a389f5ee8285c796777a25099d3cc3a0N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe
      "C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe

    Filesize

    47KB

    MD5

    79d24deeacc4d8f65d1e66a650e9c399

    SHA1

    1d57427643958329ad28f65de6dda7657a425de1

    SHA256

    ab6f1e46ab1673f9264da3a65f3a8854c4cc82fba89e36bb561715afeed9a8c9

    SHA512

    685cf1f578e0db30c645b201ad8438da0a4c5abf4b6d51236f4d809a3c7eaa1eeec315163b3019d89abb3874c4acc1994df752e15ca805b15e287fa038d35227