58b70699a1e9794e968dda61f28c89fe41e217f57e38c143ef85e85376d39928

Analysis

max time kernel
120s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 12:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

88bde0e624f818cc111309f8fa462190N.exe
Size

52KB
MD5

88bde0e624f818cc111309f8fa462190
SHA1

f1b0e01da74b62e04b9ffc34cf15d15b0807ec67
SHA256

58b70699a1e9794e968dda61f28c89fe41e217f57e38c143ef85e85376d39928
SHA512

a8c30ef357c0a99a0c47b82a1988df7bbe10ed276ccb144e415d68106b8f5b7ba477167d2a99742cbc40258e7cfb2fdb5e376fe5e155893ab2de19701a1c0c4d
SSDEEP

768:jJEHIzP41G5GNx00lRZNGu1ioXqFQnb5FAAMWlOwOq:jJYoP+dNx9LZ0YbXTmAMWUBq

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	88bde0e624f818cc111309f8fa462190N.exe

Executes dropped EXE 1 IoCs

pid	Process
4696	tjio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tjio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88bde0e624f818cc111309f8fa462190N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 4696	1924	88bde0e624f818cc111309f8fa462190N.exe	85
PID 1924 wrote to memory of 4696	1924	88bde0e624f818cc111309f8fa462190N.exe	85
PID 1924 wrote to memory of 4696	1924	88bde0e624f818cc111309f8fa462190N.exe	85

C:\Users\Admin\AppData\Local\Temp\88bde0e624f818cc111309f8fa462190N.exe
"C:\Users\Admin\AppData\Local\Temp\88bde0e624f818cc111309f8fa462190N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\tjio.exe
  "C:\Users\Admin\AppData\Local\Temp\tjio.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tjio.exe

Filesize
52KB

MD5
2cf88b451b6abf50d208f97b06d908d7

SHA1
5433bc0ea09747ed0d9ef23fe4b63a0d23a05b42

SHA256
7f48e5659ba725586eeb40940eeba4d5180aee5f45dd7182a0b58b0ade88a99c

SHA512
85c9d1be65cf1d9a64d455eedfdecf54b7903370106c1ddd4e0e87c1805b5ea9749ec833e78f375285830e11dbec72720613ed86359ce8e5380542d36806dc04

Download Submit
memory/1924-0-0x0000000002180000-0x0000000002186000-memory.dmp

Filesize
24KB

Download
memory/1924-1-0x0000000002180000-0x0000000002186000-memory.dmp

Filesize
24KB

Download
memory/1924-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4696-25-0x0000000002190000-0x0000000002196000-memory.dmp

Filesize
24KB

Download