2ecbb7bc7319ecdcb2d9d4bbf38deabd2a3a93999e02f595d9413bb4b9767171

Analysis

max time kernel
92s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virus/Virus.exe
Size

431KB
MD5

59830c5bd23ee9a6731ab53357bae10c
SHA1

686d8930f5fd18a9b94a196fab728995d4f0a23c
SHA256

562da82431e0531463bd5ae23c4f52a74f8c279a3f172ea803b589f4259a904d
SHA512

63be6b7ff9486438e7a8e51ce7154a7d44ba51d324818a571fe06f5c8c1375129afe9851051148f466e00e704c1a950dc1a60a94c3506fb5caf98a44f0aa94ef
SSDEEP

6144:pc9yzJpeQF2ZcbTzHznY8XHyldgaPGr++7+EK/zJDi3RC4AQNMIoYrmLUMn5k:4yveQB/fTHIGaPkKEYzURNAwbAgMn5k

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Virus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2456	Virus.exe
Token: SeRestorePrivilege	2456	Virus.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 208	2456	Virus.exe	81
PID 2456 wrote to memory of 208	2456	Virus.exe	81

C:\Users\Admin\AppData\Local\Temp\virus\Virus.exe
"C:\Users\Admin\AppData\Local\Temp\virus\Virus.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\DEATH.bat" "
  2⤵
  PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DEATH.bat

Filesize
3KB

MD5
02131bf374d7713b1c3bd8955442b00f

SHA1
132163900068d2d9ac92bafa7f957134caf1f9d4

SHA256
95f01ac5f613423f48133d7a0df04a6e147e0027a94760aef6df67fa740fe62b

SHA512
c40b77270fbb56a5369237e1f863f3ad654ffcb7197accb0147f162b1e0f03a1879e49d53a4249248e9a6427a655d312038ab2a5b56ae178f185c37f5027ad9c

Download Submit