286e0821c9dff60f28f608fbc48788495e4fc25616f718991a9b1979fce08cac

Analysis

max time kernel
135s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe
Size

154KB
MD5

e030eb40be750f3fb66967ad6d098c37
SHA1

f4ad311180d5086be0e281af0f22f52ef9a7e2a2
SHA256

b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444
SHA512

7fbb246e5b97c876bb9ef6f85eabdc73129a15e23d45ee20953dc40de8363087715f9fe8f36aea7eea59019e10396db5539a4078f3d7c7c89b1dc8617088d131
SSDEEP

1536:2mZmg5zb02q/t6jOFvDO7slsF9PS24s+lSmSWQWOxzlAuT2oLkC1N5UbsGt3kcm5:JZmCb6ROF96zMq1yLAHtUcmKyR

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe

Executes dropped EXE 1 IoCs

pid	Process
5968	MangerFolder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MangerFolder.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
392	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5968	MangerFolder.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 6032 wrote to memory of 4836	6032	b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe	90
PID 6032 wrote to memory of 4836	6032	b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe	90
PID 6032 wrote to memory of 4836	6032	b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe	90
PID 4836 wrote to memory of 392	4836	cmd.exe	92
PID 4836 wrote to memory of 392	4836	cmd.exe	92
PID 4836 wrote to memory of 392	4836	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe
"C:\Users\Admin\AppData\Local\Temp\b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Mangers" /tr "C:\Users\Admin\AppData\Local\MangerFolder.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Mangers" /tr "C:\Users\Admin\AppData\Local\MangerFolder.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:392

C:\Users\Admin\AppData\Local\MangerFolder.exe
C:\Users\Admin\AppData\Local\MangerFolder.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MangerFolder.exe

Filesize
154KB

MD5
d8ee17483512d5b9f6c80fa55d628cbe

SHA1
79653de962e944bbfe5d29c348de06361be905d2

SHA256
4c7a00d1095f3392eab79146e9df85b944b9672477f5a72b8dc3ae9509186443

SHA512
37b3f3727137b891117ef3410b22842255e6a3db0ab99261fd7799eff5e8e6c8c68adaf4cf43342269baa1362efae06f2154fb7404b88d37e9c5185a5d76e311

Download Submit
memory/5968-9-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/5968-10-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/5968-11-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/5968-12-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/5968-13-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/6032-0-0x0000000074802000-0x0000000074803000-memory.dmp

Filesize
4KB

Download
memory/6032-1-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/6032-2-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/6032-3-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/6032-6-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads