357d48ac369c240b339687beb4daee4e4e6faf071b89bf60a4655025088e57ca

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.7MB
MD5

2ee2b50b5e4ca76e33244569b962c139
SHA1

2dc786b5da140ba79e6fd6288e8f6c34e0d8dab3
SHA256

d47132aafe3e47d4296266854582c3056bc527efcf2982652bd33e2108255b44
SHA512

cba8d1c5f9ee4102310acf8cb1990952611ccacb82d2ec7fc76741e0651a1569090d09af3408e45c79362d8a22d0643549a38115750de3536edad44241dd2f11
SSDEEP

49152:N7mrmYPoEHVGTWFkO4ITVpSuEqW/vrM3rA3SuNg:Wm2Z12WFYFXS

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$_3_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
916	$_3_.exe
916	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
916	$_3_.exe
916	$_3_.exe
916	$_3_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 1712	916	$_3_.exe	85
PID 916 wrote to memory of 1712	916	$_3_.exe	85
PID 916 wrote to memory of 1712	916	$_3_.exe	85

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4509.bat" "C:\Users\Admin\AppData\Local\Temp\1115A92CFDF8407C8BDAE13633828AE6\""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\$IEQ8M1Q

Filesize
98B

MD5
543262aed439a768e4097c9ec2c3f7b4

SHA1
a95a576196137e186c15e59f7b51ee1430f1c698

SHA256
03ac4c16759339428822bbfbef60d17fd4712b863c2acf6073eb9239f7b1082c

SHA512
386d6b4b977287ad5c6f4a245fa2a51d31537d9b275fea198b1b588948ea44f9e7dfd23ad73d8904dbcd459cd02036126ac5753764f843ffa91bef1d9edfddac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1115A92CFDF8407C8BDAE13633828AE6\1115A92CFDF8407C8BDAE13633828AE6_LogFile.txt

Filesize
3KB

MD5
76f75d28652b0bdaa2b10ed4ca5ee3c5

SHA1
53708da0291fbae7af1db6e0c2352a594ae41ee7

SHA256
71099bfeb15fa78f6a8e699ebd433c27f63cbc7833d57ca0b931ad1225490bcf

SHA512
6a626f20a7ff85a41acd466e61ca8ccd7d00956d2a0602b1398d3451381a10ce6c662bf7340afe3015c36b9937daa3f0273c2e3bec48bfea51cb0489cdf43685

Download Submit
C:\Users\Admin\AppData\Local\Temp\1115A92CFDF8407C8BDAE13633828AE6\1115A92CFDF8407C8BDAE13633828AE6_LogFile.txt

Filesize
2KB

MD5
e3e3561a5a9e9b02666be2afacbc768a

SHA1
8068f08ce35d2d2a433644aaffe049943c0e02d3

SHA256
719ee9291796fe5d5adc926fdde0e383fd3ff234778290954720830d193c24e5

SHA512
56ea1baf18c1e14ee3a36e8a96b0f091600c392a32105fff4ecdd7afe5ed5e9edfbdcbfab37dbba847313dd4e4f4920a236b5918a4be8f78380b187bd1d581df

Download Submit
C:\Users\Admin\AppData\Local\Temp\1115A92CFDF8407C8BDAE13633828AE6\1115A92CFDF8407C8BDAE13633828AE6_LogFile.txt

Filesize
4KB

MD5
fbd13d432f66dd197ee29f30f5e01e5f

SHA1
ce6a05edc6629d7197d8c771317096eb52ffdd44

SHA256
7f34cd664708804a4f2ae2ab37a853a2caeeeebea3a55fa68c13320c1c130470

SHA512
7893a8e061fcc512c1d0581ceb5685676d4aa5e6ba75b7a782c4a53d0c53a9fde4ecfcf964fb5eb9bf48fabbcc4c183bdaca2f305e7bfd79d72e2589332e3d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1115A92CFDF8407C8BDAE13633828AE6\1115A9~1.TXT

Filesize
30KB

MD5
13d7e60f05d66c35f7eb724ca97950c2

SHA1
2a7ed16ddb46e316da852efce1106e5808e2ecf8

SHA256
d92eb971403e74e0b4f15cab16de1ed4466666d2fee9b8831e030d213e8a704a

SHA512
835e3f359ee6f6b6a90250a065f897ceaf0e4bc58293439ddae4c4feff00e6b2eb8a0c1e8a0c7b27f28d90408ce861f9b4e5ccf99127a98f0c15976e300b5d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\4509.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
memory/916-63-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download