87bdc46e76fd1101658ec0d60281a9496bba39d1baa5fc3074541cef70c14670

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

e35e058dd2119eb0f0e852f8738fbab5
SHA1

b7f9388398a9643eddb97a6c2ebaf28b6189c9a8
SHA256

17158e4838c580edce7f87e677531324579734a5ffbabefac8ce038030f11556
SHA512

d42ec1b3875e5a5cb23e520c2633081304d61ea282407dbb52d4b8c58bee4ccec377e291b485d6e6f5490920838c4b520fcd029897c6be4ac5da3bf19e46ac2c
SSDEEP

49152:rc4u49CbNSFXVJUtSH9zaTRpSWa6zjQWLtm5YXld:rz4GFJUtYf

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$_3_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1592	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1592	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3828	$_3_.exe
3828	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3828	$_3_.exe
3828	$_3_.exe
3828	$_3_.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 600	3828	$_3_.exe	93
PID 3828 wrote to memory of 600	3828	$_3_.exe	93
PID 3828 wrote to memory of 600	3828	$_3_.exe	93
PID 600 wrote to memory of 1592	600	cmd.exe	95
PID 600 wrote to memory of 1592	600	cmd.exe	95
PID 600 wrote to memory of 1592	600	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8133.bat" "C:\Users\Admin\AppData\Local\Temp\AC27D66734DF4040AC64E7253DF20851\""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\$I9UO01Q

Filesize
96B

MD5
64a36e510346d9e43215b4cc71a06a88

SHA1
ef769e7bc482ae9d3c8d15ce997c95e39dd8f2b0

SHA256
8fe1b3801c30d77f1ea6f08c1ad4b16d38a1de7e73ed8325b143efcd6d136570

SHA512
7adf2bee11bdfa059d8cf20b7ec63c06c437e260ea614a5083eaf1fddb3cee26b8c15835973ed9129a472a521578691ca78d07c3f34408e7f8f03cd26356595e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8133.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC27D66734DF4040AC64E7253DF20851\AC27D66734DF4040AC64E7253DF20851_LogFile.txt

Filesize
9KB

MD5
c272200873b776408db4d1b313978572

SHA1
114bc8613c8c9985eb540b800deddf3abe5d271d

SHA256
6324544d9fe8d185bfd7cb47179f5357427e2e007b885cf2f8f12faa52be8fbf

SHA512
56a924aeed43657ffc37548b3355219889e94ee3596ed6f4cb730ac95ab98d9aebe6a2b7a7929209e5142232f15588ebd8b6f019752432557e91ae170648f8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC27D66734DF4040AC64E7253DF20851\AC27D6~1.TXT

Filesize
121KB

MD5
f222e4fc3a8984c359906d27627e3c66

SHA1
f09f7b6f0977c774676b8254a570cf577f234af6

SHA256
44839363dfab3be40e7bef3215f646dbf742f52fc35cc386edd4fd78101a3715

SHA512
49df197814c885f2cb4ddf39254d4b07fb3f6ef19fd7a6e741d775363f3be2fa63136ff1463f0075055cb368b5ab60379119650df43af0a0d9de0cad9a22d5de

Download Submit
memory/3828-65-0x0000000003E60000-0x0000000003E61000-memory.dmp

Filesize
4KB

Download