72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14

Analysis

max time kernel
91s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14.exe
Size

17KB
MD5

a757131a25d9a2734e84b0568f0bc8b3
SHA1

85ab9eb383102af3b9ff38621586db156d542afb
SHA256

72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14
SHA512

0f5394de9d204b612a8773169bb605a3a1be62201d0543e58baa894d97771bc2cacb778fb9281980d1812b034ac33e4f9e740f09aac6fb0545f70b407b848ef3
SSDEEP

384:QLEVpNydaLiVSihPLTVmf4Dfl7mDEH2nRmA1B/jXRMQcyv:OEVpN92zC48EH2nRPmTyv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3076	timeout.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 1224	428	72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14.exe	85
PID 428 wrote to memory of 1224	428	72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14.exe	85
PID 1224 wrote to memory of 756	1224	cmd.exe	87
PID 1224 wrote to memory of 756	1224	cmd.exe	87
PID 1224 wrote to memory of 3076	1224	cmd.exe	88
PID 1224 wrote to memory of 3076	1224	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14.exe
"C:\Users\Admin\AppData\Local\Temp\72c10bc622ab99c86aec31e8b16999fd865000591f2f6b6d68059e0126399f14.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\system32\mode.com
    mode con lines=30 cols=50
    3⤵
    PID:756
- - C:\Windows\system32\timeout.exe
    Timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
1KB

MD5
79355e432cf209a749701dba1ed10a30

SHA1
cb3285b75803545f0a8f2d58d60d9dd7f41a424f

SHA256
ea114527cd19aa26226914b78bc053d27738b9c9c81eb74403572c1e9e086b11

SHA512
c245386293f55be1c90bc21ed16a55a9b95d5a93f90bc3fda2a7b7df2278f0b4884e2dc0569db74705ca27b78bc8aefdd02d9a8b5affd28509734c9987311406

Download Submit
memory/428-0-0x00007FF840FE3000-0x00007FF840FE5000-memory.dmp

Filesize
8KB

Download
memory/428-1-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download