46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe
Size

371KB
MD5

daba502d270d8c7970e6413e70ad64f0
SHA1

64c12ff1354120dff0c71955d7639167941cd06a
SHA256

46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554
SHA512

a33791bb0d18cda7b3591b5f2088ed2f7f1c6f72d28cbf7ac34a49d60b4363f8f5866297c0a30616f74c6ccb256f98d88a97f4178d7a2387d8a3ccaecd94f2cf
SSDEEP

6144:CuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62pl1:CzGL2C2aZ2/F1WHHUaveOHjT/

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	mocuc.exe

Executes dropped EXE 2 IoCs

pid	Process
2780	mocuc.exe
2540	etwir.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mocuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	etwir.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe
2540	etwir.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2780	2672	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe	82
PID 2672 wrote to memory of 2780	2672	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe	82
PID 2672 wrote to memory of 2780	2672	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe	82
PID 2672 wrote to memory of 4520	2672	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe	83
PID 2672 wrote to memory of 4520	2672	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe	83
PID 2672 wrote to memory of 4520	2672	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe	83
PID 2780 wrote to memory of 2540	2780	mocuc.exe	94
PID 2780 wrote to memory of 2540	2780	mocuc.exe	94
PID 2780 wrote to memory of 2540	2780	mocuc.exe	94

C:\Users\Admin\AppData\Local\Temp\46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe
"C:\Users\Admin\AppData\Local\Temp\46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\mocuc.exe
  "C:\Users\Admin\AppData\Local\Temp\mocuc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\etwir.exe
    "C:\Users\Admin\AppData\Local\Temp\etwir.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
fed8c560b73e9461d78fc6e623425571

SHA1
93569ed3aed6cd3c92d4ee8d8b799110f408298a

SHA256
42542ad4667a0e43dff5283567dad6e8a2995366ba7547c822e5734fcd782100

SHA512
8a1077eaf322748550ab7ce22431c00b011858bdac085de84b9843b4e2efad4517bffa249f1115acff7a51c0e76e43972e73c9335679d8e5bce04af695b06310

Download Submit
C:\Users\Admin\AppData\Local\Temp\etwir.exe

Filesize
303KB

MD5
2f52e553e15123890417e164f7ecaa89

SHA1
345055bd892c46175da6e5b8f67ddfcf80d209d7

SHA256
c08cb784e6d80462f3502cba1e0dda9dc54c8f88ee39a24edc03c1890109a90c

SHA512
277aa1c82d692986808959b99af6f88878a2572c57f733febd82a16fff297ad9a7fcec5baf2ac3a989e24341bb282b90cde10d3dc0ab8099c8188f06c05aeb9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7305916b28040925b3046470ef7e064c

SHA1
b1f2005396de139e042f0689aa62689fbd758a7c

SHA256
9e87579da09b591e0d93b1c143e16c1bfe8b37946b76307fb2a5243e89f91856

SHA512
e26a22e5de29c7c015047f61dda4100c1d7177067049842e49b1e89cff3d99ce235ba004d45e977e95c42ffd212c7f310f23ecd113b2d053351923461534126f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mocuc.exe

Filesize
371KB

MD5
10d6b4860ae3c9203a0ad9b6fe52b945

SHA1
191287cdf562d0b1b273a98285c7029bc144e33d

SHA256
1f5da5c62f8ab29f77037eeca36a79572071997f6ca108232267f0da2287efb6

SHA512
51d7a63b2aa79badcb14bb1148967c72ba779dbd83acdc4c44b45beee8a228e667eb31d0928735c603e23cdb9593ebd79562537d55e0b87a50721b2c6b9c6696

Download Submit