b0e1ef21d8ea2102603fa0e127d46f66ef40a368f4ba60bc81a8a4fd51e44bf0

Analysis

max time kernel
94s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe
Size

2.0MB
MD5

a6c1f985465f58baa96e2fb863368258
SHA1

48dbf29f9719644738fd849fb22e10e6e4f51d7c
SHA256

a4b02b376cc1b68b65ec04e802746b9befc7d4db84a749ebf7b7aa1371628275
SHA512

c9ac3680661a3af08aa468c37ab3fb80a7e8085561e6f845b18fa16154ce117661b862a1147135f533850b71ef676c7339f200029b321058ed84cea27df996ba
SSDEEP

49152:3AI+Fl/k/n8JIgBeMCoT+DheCsR15+Vgy7tNByI6Aop:3AI+Fl/kPhghCS+FyCCy7tNBj6Aop

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	data-com.exe

Executes dropped EXE 4 IoCs

pid	Process
3384	data-com.exe
4476	com-win867.exe
1180	netshare-winw.exe
3884	repair-winv.exe

Loads dropped DLL 2 IoCs

pid	Process
4476	com-win867.exe
4476	com-win867.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\data-com.exe	A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe
File opened for modification	C:\Program Files (x86)\Company\launcher\launcher.exe	A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1460	4476	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netshare-winw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	repair-winv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data-com.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	com-win867.exe

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral2/files/0x000c000000023c07-30.dat	nsis_installer_1
behavioral2/files/0x000c000000023c07-30.dat	nsis_installer_2
behavioral2/files/0x0009000000023caa-39.dat	nsis_installer_1
behavioral2/files/0x0009000000023caa-39.dat	nsis_installer_2
behavioral2/files/0x0008000000023cab-50.dat	nsis_installer_1
behavioral2/files/0x0008000000023cab-50.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4476	com-win867.exe
4476	com-win867.exe
4476	com-win867.exe
4476	com-win867.exe
4476	com-win867.exe
4476	com-win867.exe
4476	com-win867.exe
4476	com-win867.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3384	3016	A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe	83
PID 3016 wrote to memory of 3384	3016	A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe	83
PID 3016 wrote to memory of 3384	3016	A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe	83
PID 3384 wrote to memory of 4476	3384	data-com.exe	84
PID 3384 wrote to memory of 4476	3384	data-com.exe	84
PID 3384 wrote to memory of 4476	3384	data-com.exe	84
PID 3384 wrote to memory of 1180	3384	data-com.exe	87
PID 3384 wrote to memory of 1180	3384	data-com.exe	87
PID 3384 wrote to memory of 1180	3384	data-com.exe	87
PID 3384 wrote to memory of 3884	3384	data-com.exe	88
PID 3384 wrote to memory of 3884	3384	data-com.exe	88
PID 3384 wrote to memory of 3884	3384	data-com.exe	88
PID 4476 wrote to memory of 2204	4476	com-win867.exe	89
PID 4476 wrote to memory of 2204	4476	com-win867.exe	89
PID 4476 wrote to memory of 2204	4476	com-win867.exe	89

C:\Users\Admin\AppData\Local\Temp\A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe
"C:\Users\Admin\AppData\Local\Temp\A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Program Files (x86)\Common Files\data-com.exe
  "C:\Program Files (x86)\Common Files\data-com.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Users\Admin\AppData\Local\Temp\com-win867.exe
    "C:\Users\Admin\AppData\Local\Temp\com-win867.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\com-win867.exe
      "C:\Users\Admin\AppData\Local\Temp\com-win867.exe"
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1052
      4⤵
      Program crash
      PID:1460
- - C:\Users\Admin\AppData\Local\Temp\netshare-winw.exe
    "C:\Users\Admin\AppData\Local\Temp\netshare-winw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1180
- - C:\Users\Admin\AppData\Local\Temp\repair-winv.exe
    "C:\Users\Admin\AppData\Local\Temp\repair-winv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4476 -ip 4476
1⤵
PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\data-com.exe

Filesize
1.6MB

MD5
c4f5279ac008bd516fac948b9ed07ef4

SHA1
dfd6b2cde45d61cb5f470d7cc9aa02ea14a88b0c

SHA256
e62f25c348f1a803072a3fa6991c3c624982f1a0db33a835af27ec22bab577f6

SHA512
54c5c1c397c3c9a2a3737447b7e2b1b048ffcaa8478453fb25bc9c4e9c9204a58f41318b80ff806c91cd77e09bac47152bc3ea56ce7faaa088f7f20d67632bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\50x50.jpg

Filesize
990B

MD5
ca6477ef69993246149bd34b857651db

SHA1
01411f9b09d58c6ea7f4068ace6207db4fb1b46f

SHA256
10c7923013668a793ba279dff60675fde5077234e5b2be84dd7c297d43540ad6

SHA512
02e5c2b806f58774e3f5b7d0b71c2c3ced543170ab643d211a6839ddb82676a88a321bfcccc65700272b0b9595193d8c2573bf7f477b945d1a8e798e7f7226fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.md

Filesize
1KB

MD5
0b61e9b2d174d66a91074558158d061c

SHA1
93d625d555981387466aca8018075b1195496b9c

SHA256
20d1cea77432e36ac12c16a2636344d92fab61c3f349444f3a7808ab3f57a1ac

SHA512
6ad59fd9f375d5e2b0e92ecb60406523f9333fff8a837963fb685ed3bf40f888c2d4847d4be6cfda16e1bfc668eb21d2724d073504af1bbf82a18aca58e9577f

Download Submit
C:\Users\Admin\AppData\Local\Temp\com-win867.exe

Filesize
454KB

MD5
ece598774bd28cbe3caa0ee1f2212725

SHA1
48433d51044b0d1c9e802a6c95f9c994b5b0a142

SHA256
7ed2531a506e24a014493c92de25ca92fe712aa71a2ce981b14f25e053d5d5b6

SHA512
29aad65aa5827996bfd1ffb932803f2691450aeede912c0e6f60712af8b622b517b440bade503fbc076bb4245817fba1823bb54b1fadaddaab4c3057ca91b70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\download.png

Filesize
6KB

MD5
a7032131575edf08d718f4d3a1343e99

SHA1
4f6fef19c9b8f75f9e962fd3c78e92cd3b836446

SHA256
8a4bd6e4675e40248040db34c43fbf4bf7f8d0a67404efb4bed3d7a47f2c6dbd

SHA512
a6f47acff9d8b1bf48f9c8f3a64b75a8f3e5be071ac378eaa46252eaf27c84b075347ae052390ed892f17d820d7fda7a516298b787cda02718cd47bcf8c0a0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\netshare-winw.exe

Filesize
793KB

MD5
937e8c3bed1eae721daf1b8aa0e2ae38

SHA1
a53fd1565b9d92986db6383830cadee69dfe8723

SHA256
69988bab12a838d28a2cca55bddb05da74ec8653ac887f8f0340a178325f2872

SHA512
277edd5c91ca22661d08d9e456f0b93666c3e0906af2fe589a68b9cdf565d51666030907f8096837ac5bcc33072d5df27bd5f543a90d24cb08db0a1f8be66a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaB98D.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\repair-winv.exe

Filesize
502KB

MD5
3436f616a07a2d43b067b0c7a9ee0aab

SHA1
9acc3914853a04bfc795d8d97e7862ae0d873276

SHA256
fc3a8e4291ca21ecc1f28995bf8834e46aeddfafaf959413b2b9cd2ab87f51e3

SHA512
eb51df5c9855cc0dc310a2ea08b46e3b6b5aa190cc84e2ff6ccbc9b670352b099b35464fcad2b300086c74174fcd0105f6deb5fd6d9f96205a529f8d6b375c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\yrcvb.dll

Filesize
10KB

MD5
0c9759f952b48ce3b6ea9ab6e8c74ec8

SHA1
2bc4e9b133ef7dcef59a170e81ec8ea329366b39

SHA256
fb17899c01dc5b01d78a45ac7ada23742285894c57cf957688a8b0aeb79044f3

SHA512
1d8339f065140053505d6080959015d851ca442d88a44dfdc0e26a5e5c53ae03d555a1ff308cd6072e1fd73e3f60aeb8752cde8e0b704d321203bf548b85eef9

Download Submit
memory/3016-20-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4476-73-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/4476-87-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download