d446f9a6247df566e4e381594b8eaeeb844321fb16fcaf49bbac860fa4301a77

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe
Size

564KB
MD5

633bb3ab12d6fd7b6956aa3a93f55e9c
SHA1

f4a72da6391fcc9c623ae26de27fc80f10cf9f2b
SHA256

0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103
SHA512

ebdfa42be8d8f1a64900ba48748c8f86d9b74defbf85b3dda94d1df4d7c695d81769e165252fc0cfb2b5ffe347d84eb2f4f74e8d3e3d3ed3fa6466426f4eec28
SSDEEP

12288:zToPWBv/cpGrU3yJYqi+4mMz4pbIQ4+N54CHLottc:zTbBv5rUGdf4m/pMQ4m5nrJ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe

Executes dropped EXE 1 IoCs

pid	Process
1092	bstkiooen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bstkiooen.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 1092	3852	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe	82
PID 3852 wrote to memory of 1092	3852	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe	82
PID 3852 wrote to memory of 1092	3852	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe	82

C:\Users\Admin\AppData\Local\Temp\0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe
"C:\Users\Admin\AppData\Local\Temp\0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Users\Admin\AppData\Local\Temp\bstkiooen.exe
  "C:\Users\Admin\AppData\Local\Temp\bstkiooen.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bstkiooen.exe

Filesize
6KB

MD5
a2af309781df2f75dc0b57ae63b0f3a9

SHA1
f4137068334e1856471f4701c96afaa0470c7d4c

SHA256
328f2a0d53ed5c36513f278f32a0d6166a2dc0993ed4f52185198d6200595e1c

SHA512
5f7bd4c508e1f9f0b391ebc6b42f6f734b846a76d6903db3e75b7b671d02bef2baecb40bcbb37a41394aeccb8d2591c2f5492aa74e458ff814b184d9668f259b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbmpmcwm.tfz

Filesize
185KB

MD5
b02c99ecfdb7d8793254bc8e9c003869

SHA1
e38ca7ff9c88e36d19aa0198820b97f6a11de201

SHA256
2f8eb57267950a4bc6e8dd8b2d7def8afc40b8db3c5ef49adc68fb144f7e8e41

SHA512
d12cd9fbabdcc1a5c601d6c0326b34f65ffc63be84ca94bc6dc70f0e70ec7c3b46122136d6f2a7e82bcb3e27d4bb89d9332ddd35026873fd4029d3405f73b09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgmxh.brz

Filesize
4KB

MD5
73d355a9e88d7a82f69e612949eb4965

SHA1
b6041f58669a65e43fbe8dcba0dbd061e48812bc

SHA256
115814a83166723ce7080d92af30822dbd7dc2d5d26edec9145b056b7226e166

SHA512
5498ad05a858051705e6e37a884f8897623bb2a415515c951e76d1ef12554994a6de0cd17b045dd740d9d92055ba1b6a725129f36740261d9de9ee9bb29577af

Download Submit
memory/1092-18-0x0000000000900000-0x0000000000902000-memory.dmp

Filesize
8KB

Download