a8618a44063f1ad36a85d0a672f79c6a6e97a8167816b1e480838819d29aa816

Analysis

max time kernel
415s
max time network
1133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Image_LoggerV2.1.exe
Size

565KB
MD5

bc8da07d2893251d1a880da1685d805b
SHA1

c71067599467c8a1715b4a619057b34e621d59b7
SHA256

a8618a44063f1ad36a85d0a672f79c6a6e97a8167816b1e480838819d29aa816
SHA512

89c71f65ab7a94203db04ac8e04061b24b8f4f3d0f9ec3e09b9814960e2916ef9e002d81b83afb228217759e0f6c0d659417bb09aa446d6a8afe351e53bcf0ab
SSDEEP

12288:+yveQB/fTHIGaPkKEYzURNAwbAg+X3jOUGarNg:+uDXTIGaPhEYzUzA0k3j/vg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Image_LoggerV2.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 3712	4384	Image_LoggerV2.1.exe	83
PID 4384 wrote to memory of 3712	4384	Image_LoggerV2.1.exe	83
PID 3712 wrote to memory of 3528	3712	cmd.exe	87
PID 3712 wrote to memory of 3528	3712	cmd.exe	87
PID 3712 wrote to memory of 4064	3712	cmd.exe	88
PID 3712 wrote to memory of 4064	3712	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\Image_LoggerV2.1.exe
"C:\Users\Admin\AppData\Local\Temp\Image_LoggerV2.1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEBREW TOOLS.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\system32\mode.com
    mode con cols=80 lines-25
    3⤵
    PID:3528
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEBREW TOOLS.bat

Filesize
2KB

MD5
3143d6ab7040bb22106cd3f1536c93cf

SHA1
a740ab848c13d3f330aeb7e827848fbabbd58a85

SHA256
39b85ae4a856c56355241b2968ea70810ab8eadd5e7a4c48e373229a9c9d07ff

SHA512
0ae9a6309fd3fe19521dd643210934c302d84e694b36dd6ae40e39b063e2fd59a8c2e9919e5fa316ebcdea5eb5ee68e3105152fb65c0f32c6930e5a6530d3375

Download Submit