Analysis
-
max time kernel
113s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 18:14
Static task
static1
Behavioral task
behavioral1
Sample
e0d88f5934f1db8a15373706387dce90N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e0d88f5934f1db8a15373706387dce90N.exe
Resource
win10v2004-20240802-en
General
-
Target
e0d88f5934f1db8a15373706387dce90N.exe
-
Size
159KB
-
MD5
e0d88f5934f1db8a15373706387dce90
-
SHA1
3d6a633b8f7052b70cc4cc293e31bbaae7382a99
-
SHA256
e59a1eeb4f320c90c7b358f591ce6c1b7a97c1ee48bd30397c8b1c6960893bc9
-
SHA512
2602501472c2e3fb328173919e68de138d5b23b1c3e73b3d6ac25590b9a0989379ff3849aaaeb6267b5ae5c7ddadf80d2cdf0a3294f02586402ffed0ca46022f
-
SSDEEP
3072:wq6+ouCpk2mpcWJ0r+QNTBfz95PjQeenDc3:wldk1cWQRNTBLreo3
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation e0d88f5934f1db8a15373706387dce90N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0d88f5934f1db8a15373706387dce90N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1420 wrote to memory of 2088 1420 e0d88f5934f1db8a15373706387dce90N.exe 86 PID 1420 wrote to memory of 2088 1420 e0d88f5934f1db8a15373706387dce90N.exe 86 PID 2088 wrote to memory of 208 2088 cmd.exe 89 PID 2088 wrote to memory of 208 2088 cmd.exe 89 PID 2088 wrote to memory of 2704 2088 cmd.exe 90 PID 2088 wrote to memory of 2704 2088 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0d88f5934f1db8a15373706387dce90N.exe"C:\Users\Admin\AppData\Local\Temp\e0d88f5934f1db8a15373706387dce90N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6F73.tmp\6F74.tmp\6F75.bat C:\Users\Admin\AppData\Local\Temp\e0d88f5934f1db8a15373706387dce90N.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\reg.exePID:208
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\EasyUEFI" /v "License" /t REG_SZ /d "KV2CS7TDQZ58QHAEHVNYQEWE3W465QEUXD4H4E5EQPNY2SQF" /f3⤵PID:2704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
349B
MD5de026db21eacd755ebc37df170efb0d4
SHA1093660f29d2c103a96944d468c60d51ac40fd865
SHA256979c1644e0f9d081cd3a5cdd36ee38bc7e3294af63303f6055d7d5adc211217c
SHA512d77192000f57ad361e465f629ff990acaa0cea9f84be816426bcbe14af0b0e2e571c3bb85af41fadaede584f5132d6e91e40073be0d5b8cff134d3518fe29e6a