0ace954b2268b9c7c12b15cda24af0610ccbd7aeb2bc2faf0a717bc0ba4dca8e

Analysis

max time kernel
140s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

77bfacca17ee1d89833b57f3a746d9a0
SHA1

aa9490c913489c5eafd02f67f875efcb56d23036
SHA256

38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52
SHA512

21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f
SSDEEP

49152:/SNY8H0ZGF5j51XdQTPRPgojx1NslvUOl/WkMWAH:oY00Z8F1XdUL

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$_3_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2592	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2592	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4728	$_3_.exe
4728	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4728	$_3_.exe
4728	$_3_.exe
4728	$_3_.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 1056	4728	$_3_.exe	92
PID 4728 wrote to memory of 1056	4728	$_3_.exe	92
PID 4728 wrote to memory of 1056	4728	$_3_.exe	92
PID 1056 wrote to memory of 2592	1056	cmd.exe	94
PID 1056 wrote to memory of 2592	1056	cmd.exe	94
PID 1056 wrote to memory of 2592	1056	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\27573.bat" "C:\Users\Admin\AppData\Local\Temp\72FCF83F48C946B8A00DBB41083A8C10\""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27573.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\72FCF83F48C946B8A00DBB41083A8C10\72FCF83F48C946B8A00DBB41083A8C10_LogFile.txt

Filesize
9KB

MD5
8ce9c6327d7b6b3be73f48becbb0d213

SHA1
bf755abe85cbc469991638b1c229452c85787660

SHA256
15df5d6b4a0946da6f5ecf80dd66b315ed991c678c1341209ada10e16bf98614

SHA512
53d19c358bbc9519f4a1c6a02a13730d86863182cf48d404d437bdda75a40bca9b250ce25df9209b78a09cd763c4bf85659555df765fd91ed36836a068adcdb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\72FCF83F48C946B8A00DBB41083A8C10\72FCF8~1.TXT

Filesize
124KB

MD5
4e4649109bdad1456639bc16662570e2

SHA1
46d8aa31c5f87a47e4dfa37788fcca94878bd8a0

SHA256
c516a6ec3ff67c6465eab4ba1519e0dee810058e9090efd49a7f7961b7fe2382

SHA512
a67c4803f9741b392b70c85add2364917fda773872ee2d6341858c1445879362bbe870101cd42dc08ba6f25afe65f365e6786c778c615ee4910423fd19e00836

Download Submit