56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe
Size

9.7MB
MD5

b962e0d15ff53f01eabe7008c4386f9d
SHA1

bcfa0c259a03c5c14aeea3a7c0a032db45f1025b
SHA256

56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9
SHA512

ec796fa60b22d5a47581990eae38660b0bbf9d4a89005488dc155376367db000fedff53a38937cf5cf9df7abc1acb93e141bb7c106b895e7c300f6ff0be67753
SSDEEP

196608:u9iHfdAiSkhVB8H9OxvsByWG2xxcKIgJlKIpJU2DtUGteFpXR7th:8i/dD5V6dOCyWG2NIgJ5pJdDtUGUrXRr

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1420	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
224	56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe
224	56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe
224	56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe
224	56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 1420	224	56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe	91
PID 224 wrote to memory of 1420	224	56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe	91
PID 224 wrote to memory of 1420	224	56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe	91
PID 224 wrote to memory of 3252	224	56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe	93
PID 224 wrote to memory of 3252	224	56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe	93
PID 224 wrote to memory of 3252	224	56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe	93
PID 3252 wrote to memory of 2268	3252	net.exe	95
PID 3252 wrote to memory of 2268	3252	net.exe	95
PID 3252 wrote to memory of 2268	3252	net.exe	95

C:\Users\Admin\AppData\Local\Temp\56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe
"C:\Users\Admin\AppData\Local\Temp\56bc14edcfa27cd7f771cdeeb5e603bbce126744468d7e852a1bd75f97bf4ba9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config UxSms start= auto
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1420
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" start UxSms
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start UxSms
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\iNodeLog\stp_UtlFile2024090201.log

Filesize
907B

MD5
6bb51b1e23966dc896476fb2d2ef7098

SHA1
7c74287f92afc025256860ff5f6fba5d7842d3d7

SHA256
c2fdb68875ab9b3b394d502ccd08b320ac21184213b7dd6b399155db1c884eaf

SHA512
57d7c4e4ab1f72ca8996c10952c88f8dc003d4084e6282b2e89ec1365fd504444525d602e3e2607f6b0bc63da2259ef8a7ecae19f4132b0f2c2c44bc535b4419

Download Submit
C:\iNodeLog\stp_setup2024090201.log

Filesize
1KB

MD5
e10e6bc00416652d45e0baa86ab0a920

SHA1
899d8ae001b556c78d6308959d19cd4fdd808c1d

SHA256
54572072dabff6641b11ed174375afc630432ef19d3c061a94bce70ff85f08da

SHA512
10297f9ae11aa08556b9d35b23b1282526f2b69e694d3aa2e858f12191076416cde3f30988c08da21ef93f22b29d2e317180aa906e2dfa582410324845b453f6

Download Submit