3a16c941223ae24e33b62e925575669a52f7993765aadf075a8bea5decd8a836

Analysis

max time kernel
124s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-01-2022 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS850A099E/61e74fd8ef830_Tue23593425095.exe
Size

1.6MB
MD5

c4e681d218d1c9c4efe701b4c7554eb5
SHA1

c3b43d0fbc5ad442067546b9d40c16810bb379da
SHA256

825a970bd11d349ba089e70419036c01ebb8cfd06e4abbec6bf58e9c7566a5e6
SHA512

b8d4ee6093835b0ec398f8884097db0bf1026e581743151241fb1489b061ba463dacf35b9af17f49ddc9d22769e9ebd763d9bfdb7e4d99e47a4e256c493ba3b5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

61e74fd8ef830_Tue23593425095.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	61e74fd8ef830_Tue23593425095.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

532 rundll32.exe
532 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

532 rundll32.exe

pid	process
532	rundll32.exe
532	rundll32.exe

pid	process
532	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

61e74fd8ef830_Tue23593425095.execontrol.exe

description	pid	process	target process
PID 1844 wrote to memory of 3844	1844	61e74fd8ef830_Tue23593425095.exe	control.exe
PID 1844 wrote to memory of 3844	1844	61e74fd8ef830_Tue23593425095.exe	control.exe
PID 1844 wrote to memory of 3844	1844	61e74fd8ef830_Tue23593425095.exe	control.exe
PID 3844 wrote to memory of 532	3844	control.exe	rundll32.exe
PID 3844 wrote to memory of 532	3844	control.exe	rundll32.exe
PID 3844 wrote to memory of 532	3844	control.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\G1V6MSEY.nr
2⤵
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\G1V6MSEY.nr
3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:532

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\G1V6MSEY.nr
MD5
5b9ba89e931df196eb10c96f0bac1ad1

SHA1
25ae2f1380cc055a9935e6ad6c9ace2da48d74aa

SHA256
74e4e44f3391be22ccb844c784cc4e6d5614a826ec76d078ef880d10c56a173f

SHA512
059abe70b3a2c839cff61c540ac64bb2a089d7bdf33a293efff722558dfe488fa4a1ff2edc556c13764312ccaf874549253aff2f717057d490d8415687bce6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\G1V6MSEY.nr
MD5
a1d7ff42127692c12c8abdd41eee4d8a

SHA1
914f719052e06c9d43d2bf8fc0100f898b4f3e2a

SHA256
492ff5e3ae663b810eea46312624a73624d4637146c777d45b878bb7617c20cf

SHA512
9b71c3fc0f5497fd9bc05b5923672d78f5630025ce070d16a91f2e15660aca47f2e19b4b04542ccb0457d1e20fba550eb26dc69fd95efbd0835a0126266a6c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\G1V6MSEY.nr
MD5
903d339b9d1f7a53b61d1cb5987d5357

SHA1
0ddad2d1aab7642b46538e47b774e0616908cc22

SHA256
006e17bb1369a32a3c2a1758db88d5b1906fc0ef3b1b01049e86a8ffeef5c208

SHA512
f2abf08b6190a3a8e371a20d862332bfae36ac2924eadfaaa32383c7cf44cd9d28384e0ad200448bcc7888f6529144239086c63d824dd2b7eef02d2b1ebad144

Download Submit
memory/532-135-0x0000000004760000-0x000000002F1A9000-memory.dmp

Filesize
682.3MB

Download