3a16c941223ae24e33b62e925575669a52f7993765aadf075a8bea5decd8a836

Analysis

max time kernel
43s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-01-2022 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS850A099E/61e7502f007f3_Tue23d6fecf8c.exe
Size

116KB
MD5

b8ecec542a07067a193637269973c2e8
SHA1

97178479fd0fc608d6c0fbf243a0bb136d7b0ecb
SHA256

fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e
SHA512

730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

1630.tmp.exe2871.tmp.exe

pid process

2796 1630.tmp.exe
3600 2871.tmp.exe

pid	process
2796	1630.tmp.exe
3600	2871.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

61e7502f007f3_Tue23d6fecf8c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	61e7502f007f3_Tue23d6fecf8c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

61e7502f007f3_Tue23d6fecf8c.exe

description	pid	process	target process
PID 4072 wrote to memory of 2796	4072	61e7502f007f3_Tue23d6fecf8c.exe	1630.tmp.exe
PID 4072 wrote to memory of 2796	4072	61e7502f007f3_Tue23d6fecf8c.exe	1630.tmp.exe
PID 4072 wrote to memory of 2796	4072	61e7502f007f3_Tue23d6fecf8c.exe	1630.tmp.exe
PID 4072 wrote to memory of 3600	4072	61e7502f007f3_Tue23d6fecf8c.exe	2871.tmp.exe
PID 4072 wrote to memory of 3600	4072	61e7502f007f3_Tue23d6fecf8c.exe	2871.tmp.exe
PID 4072 wrote to memory of 3600	4072	61e7502f007f3_Tue23d6fecf8c.exe	2871.tmp.exe
PID 4072 wrote to memory of 1584	4072	61e7502f007f3_Tue23d6fecf8c.exe	cmd.exe
PID 4072 wrote to memory of 1584	4072	61e7502f007f3_Tue23d6fecf8c.exe	cmd.exe
PID 4072 wrote to memory of 1584	4072	61e7502f007f3_Tue23d6fecf8c.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Roaming\1630.tmp.exe
"C:\Users\Admin\AppData\Roaming\1630.tmp.exe"
2⤵
- Executes dropped EXE
PID:2796

C:\Users\Admin\AppData\Roaming\2871.tmp.exe
"C:\Users\Admin\AppData\Roaming\2871.tmp.exe"
2⤵
- Executes dropped EXE
PID:3600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe" >> NUL
2⤵
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1630.tmp.exe
MD5
446119332738133d3ecd2d00ebe5d0ec

SHA1
83c4c026ac8bffb9287a5b9ade2e93d4dcc50709

SHA256
5718e48ba5305adeea0390ca7cce071cc86f2c3d03560842f9067aad3d92193f

SHA512
d185fcd61861020ed6385650d4bbaeac9c6f4eba6e79164dce65cb96e4cac6360d9a49444fa0a4c1c01e5579eff495f82712d9b1e73d6d5f35a3459ac038600f

Download Submit
C:\Users\Admin\AppData\Roaming\1630.tmp.exe
MD5
446119332738133d3ecd2d00ebe5d0ec

SHA1
83c4c026ac8bffb9287a5b9ade2e93d4dcc50709

SHA256
5718e48ba5305adeea0390ca7cce071cc86f2c3d03560842f9067aad3d92193f

SHA512
d185fcd61861020ed6385650d4bbaeac9c6f4eba6e79164dce65cb96e4cac6360d9a49444fa0a4c1c01e5579eff495f82712d9b1e73d6d5f35a3459ac038600f

Download Submit
C:\Users\Admin\AppData\Roaming\2871.tmp.exe
MD5
4d75dea49f6bd60f725fae9c28cd0960

SHA1
39875c55b440554253b32d581e1c1e01bd50eb90

SHA256
f780f1b37685e902aa4910e5a6d62c7a209f002f88c83598b30ca804f5f4e1f0

SHA512
fda61a9cc6a78b6949d4d959b090e84e09f1d41d0b63daa843e28a0666e6989adf25130787f91f5d9e0a3c37ed4bb0ba7b98ed54ac4a0236176124ba0baf9ce5

Download Submit
C:\Users\Admin\AppData\Roaming\2871.tmp.exe
MD5
4d75dea49f6bd60f725fae9c28cd0960

SHA1
39875c55b440554253b32d581e1c1e01bd50eb90

SHA256
f780f1b37685e902aa4910e5a6d62c7a209f002f88c83598b30ca804f5f4e1f0

SHA512
fda61a9cc6a78b6949d4d959b090e84e09f1d41d0b63daa843e28a0666e6989adf25130787f91f5d9e0a3c37ed4bb0ba7b98ed54ac4a0236176124ba0baf9ce5

Download Submit
memory/3600-134-0x00000000008A0000-0x00000000008CF000-memory.dmp

Filesize
188KB

Download