545403ae8941712ac4f021d5867ac8df35a554d5754192c54da66f7b2a2d4e5f

Analysis

max time kernel
103s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68b8408aa7c238f2f6646abb8c2ff32b.exe
Size

15KB
MD5

68b8408aa7c238f2f6646abb8c2ff32b
SHA1

1eec3953051baedef2f9b56dce1dd2673a6dff29
SHA256

46e5a4768db1d83d467431c07274873f38728339a82ceddfa9ca188d7e83cf93
SHA512

41a57f39395e031524cdca1ff5c23f0db206f24bd2bef8d5b9ab2c399e9a5eaf0c27a563a420a1f157221194847af130061462effb2293120cf15f9844e68801
SSDEEP

384:7OTxng39jk1pH+uURZt4dyK3OV1fksha4H94XGZlcvbFZ:AxQ9jupmRZbAOV1q4H9HZluhZ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	68b8408aa7c238f2f6646abb8c2ff32b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68b8408aa7c238f2f6646abb8c2ff32b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4712	PING.EXE
4700	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4712	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5728 wrote to memory of 6072	5728	68b8408aa7c238f2f6646abb8c2ff32b.exe	91
PID 5728 wrote to memory of 6072	5728	68b8408aa7c238f2f6646abb8c2ff32b.exe	91
PID 5728 wrote to memory of 6072	5728	68b8408aa7c238f2f6646abb8c2ff32b.exe	91
PID 6072 wrote to memory of 5804	6072	csc.exe	93
PID 6072 wrote to memory of 5804	6072	csc.exe	93
PID 6072 wrote to memory of 5804	6072	csc.exe	93
PID 5728 wrote to memory of 4700	5728	68b8408aa7c238f2f6646abb8c2ff32b.exe	94
PID 5728 wrote to memory of 4700	5728	68b8408aa7c238f2f6646abb8c2ff32b.exe	94
PID 5728 wrote to memory of 4700	5728	68b8408aa7c238f2f6646abb8c2ff32b.exe	94
PID 4700 wrote to memory of 4712	4700	cmd.exe	96
PID 4700 wrote to memory of 4712	4700	cmd.exe	96
PID 4700 wrote to memory of 4712	4700	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\68b8408aa7c238f2f6646abb8c2ff32b.exe
"C:\Users\Admin\AppData\Local\Temp\68b8408aa7c238f2f6646abb8c2ff32b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\unrkamdz\unrkamdz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6072
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D98.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA3D7CD0FA754090BCC187694F6E7494.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\68b8408aa7c238f2f6646abb8c2ff32b.exe" & move "갊갅개갭갗갬값간갠같각갚.exe" "C:\Users\Admin\AppData\Local\Temp\68b8408aa7c238f2f6646abb8c2ff32b.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9D98.tmp

Filesize
1KB

MD5
ca724103670fb745fe55dc9faf64c2e3

SHA1
6b9641867d2b68e5bf9444f2ad977bf9beffc2d1

SHA256
4b4d342294bded6891d8357aeb0b183ad31e69d4cd40538b7c955ccc150887b4

SHA512
a0a7dd076478403ea696b0e2e0dfb45b4e536235f40a08a26d308bc9a42b6e85805234f620783ba18d027e241cfebe492fc5a5bc749d14785c780ed317b4fe16

Download Submit
C:\Users\Admin\AppData\Local\Temp\갊갅개갭갗갬값간갠같각갚.exe

Filesize
15KB

MD5
ea3614b5dc1dbf356f5f99e1382a549f

SHA1
4b644e465b3768f19c87e182124e4ae9654d311c

SHA256
08ef6ecf74b9a4c1b7e48991152a937362ee4deb15e8f306c23985ce6db8b6e3

SHA512
e38e0826b4af88a17854d39cf55c0726fb2d2a74ed692db2168325130e8151788ba7b2df1fd83a3c61916d222cb48c37e22b4b9065ff85f74f553b898315abcd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA3D7CD0FA754090BCC187694F6E7494.TMP

Filesize
1KB

MD5
c14c6f667b67d5c8ff426968dae68a73

SHA1
d264635fa0d8dee158b1798eaa47e3d183155aa5

SHA256
a4e35b27a759fea90e3a09a853fa70517b92ae999787f7a3c2458708f128a273

SHA512
5edcad218038ae0cb575eaa48b3851697a3cd60e3443a7ca65f7aa5c01484b100016df92a1c2e1c3af61bad10b438a85b14d5c11b9a90c3c9682357df2c04303

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unrkamdz\unrkamdz.0.cs

Filesize
26KB

MD5
8bb13875ffb487e95354b69229428f55

SHA1
0643ce606799389815fd27320a556f9ef2b4f451

SHA256
70c13f3ed3f2008ebbe25840c02188f168d9034291587473531e20446f6db8c7

SHA512
fd9531e1162949a608fcf75ba59a2d57ada9c66f39506f24ebb7e9a6d497d8ab342a8747ebee3131ce89f1f756000382d66e7c03acc399b37f5f70719f85b62d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unrkamdz\unrkamdz.cmdline

Filesize
296B

MD5
29ebe2dcc1b5b3b3623be6d7487bdd61

SHA1
0de05ce0199c4ca39d437f7cd253ed2009987224

SHA256
cccbcd73f0de6cef20cab470c05ad8c427f990e20e7347af1ec5b1819a46878e

SHA512
59566fde99c283e35869a7dcf06c40261efb97ecee950831503448de4f667b9559e7eeaf4d715458b2749aa1ddc7390b291d737662e03eeaf345cc286295c5d7

Download Submit
memory/5728-5-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/5728-3-0x0000000004FA0000-0x0000000004FA8000-memory.dmp

Filesize
32KB

Download
memory/5728-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/5728-18-0x0000000005110000-0x000000000511A000-memory.dmp

Filesize
40KB

Download
memory/5728-4-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/5728-2-0x00000000054F0000-0x0000000005A94000-memory.dmp

Filesize
5.6MB

Download
memory/5728-23-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/5728-1-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads