3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
46s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe
Size

251KB
MD5

541d40acfed529f53816f8974634d875
SHA1

801444be5fb8efafd8a92dcb51a480cbb6039666
SHA256

85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b
SHA512

e7e653dbbf778533b244808001b7fa440e350c9c2c7fd2c45b52d46cc2f249cbc2a049bc023e4d350484a63b9d3b78b4ca378f7d0e883dcbbc6324c0a3b14c2d
SSDEEP

3072:+Cm3/jdYiAScDuYOr5rfaAP7K7yGzAMVb168yiJXNgfz798beFnHrAnlUwKV:SCiJ8uYOBfaAYyqhe8ZJda98beFnLAl2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	5296	85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe
Token: SeIncreaseQuotaPrivilege	2192	wmic.exe
Token: SeSecurityPrivilege	2192	wmic.exe
Token: SeTakeOwnershipPrivilege	2192	wmic.exe
Token: SeLoadDriverPrivilege	2192	wmic.exe
Token: SeSystemProfilePrivilege	2192	wmic.exe
Token: SeSystemtimePrivilege	2192	wmic.exe
Token: SeProfSingleProcessPrivilege	2192	wmic.exe
Token: SeIncBasePriorityPrivilege	2192	wmic.exe
Token: SeCreatePagefilePrivilege	2192	wmic.exe
Token: SeBackupPrivilege	2192	wmic.exe
Token: SeRestorePrivilege	2192	wmic.exe
Token: SeShutdownPrivilege	2192	wmic.exe
Token: SeDebugPrivilege	2192	wmic.exe
Token: SeSystemEnvironmentPrivilege	2192	wmic.exe
Token: SeRemoteShutdownPrivilege	2192	wmic.exe
Token: SeUndockPrivilege	2192	wmic.exe
Token: SeManageVolumePrivilege	2192	wmic.exe
Token: 33	2192	wmic.exe
Token: 34	2192	wmic.exe
Token: 35	2192	wmic.exe
Token: 36	2192	wmic.exe
Token: SeIncreaseQuotaPrivilege	2192	wmic.exe
Token: SeSecurityPrivilege	2192	wmic.exe
Token: SeTakeOwnershipPrivilege	2192	wmic.exe
Token: SeLoadDriverPrivilege	2192	wmic.exe
Token: SeSystemProfilePrivilege	2192	wmic.exe
Token: SeSystemtimePrivilege	2192	wmic.exe
Token: SeProfSingleProcessPrivilege	2192	wmic.exe
Token: SeIncBasePriorityPrivilege	2192	wmic.exe
Token: SeCreatePagefilePrivilege	2192	wmic.exe
Token: SeBackupPrivilege	2192	wmic.exe
Token: SeRestorePrivilege	2192	wmic.exe
Token: SeShutdownPrivilege	2192	wmic.exe
Token: SeDebugPrivilege	2192	wmic.exe
Token: SeSystemEnvironmentPrivilege	2192	wmic.exe
Token: SeRemoteShutdownPrivilege	2192	wmic.exe
Token: SeUndockPrivilege	2192	wmic.exe
Token: SeManageVolumePrivilege	2192	wmic.exe
Token: 33	2192	wmic.exe
Token: 34	2192	wmic.exe
Token: 35	2192	wmic.exe
Token: 36	2192	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5296 wrote to memory of 2192	5296	85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe	87
PID 5296 wrote to memory of 2192	5296	85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe	87
PID 5296 wrote to memory of 5976	5296	85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe	90
PID 5296 wrote to memory of 5976	5296	85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe	90
PID 5976 wrote to memory of 3812	5976	cmd.exe	92
PID 5976 wrote to memory of 3812	5976	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe
"C:\Users\Admin\AppData\Local\Temp\85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5296
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 2 & Del "C:\Users\Admin\AppData\Local\Temp\85744dd3f65e4636d5d433ed2a070c50a90375a38356c175ed31975813b4610b.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5976
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 2
    3⤵
    PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5296-0-0x00007FF8570C3000-0x00007FF8570C5000-memory.dmp

Filesize
8KB

Download
memory/5296-1-0x0000025080860000-0x00000250808A4000-memory.dmp

Filesize
272KB

Download
memory/5296-2-0x00007FF8570C0000-0x00007FF857B81000-memory.dmp

Filesize
10.8MB

Download
memory/5296-4-0x00007FF8570C0000-0x00007FF857B81000-memory.dmp

Filesize
10.8MB

Download