f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8

Analysis

max time kernel
127s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-01-2022 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS850A099E/61e74fd8ef830_Tue23593425095.exe
Size

1.6MB
MD5

c4e681d218d1c9c4efe701b4c7554eb5
SHA1

c3b43d0fbc5ad442067546b9d40c16810bb379da
SHA256

825a970bd11d349ba089e70419036c01ebb8cfd06e4abbec6bf58e9c7566a5e6
SHA512

b8d4ee6093835b0ec398f8884097db0bf1026e581743151241fb1489b061ba463dacf35b9af17f49ddc9d22769e9ebd763d9bfdb7e4d99e47a4e256c493ba3b5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

61e74fd8ef830_Tue23593425095.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	61e74fd8ef830_Tue23593425095.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

1788 rundll32.exe
1788 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

1788 rundll32.exe

pid	process
1788	rundll32.exe
1788	rundll32.exe

pid	process
1788	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

61e74fd8ef830_Tue23593425095.execontrol.exe

description	pid	process	target process
PID 2948 wrote to memory of 380	2948	61e74fd8ef830_Tue23593425095.exe	control.exe
PID 2948 wrote to memory of 380	2948	61e74fd8ef830_Tue23593425095.exe	control.exe
PID 2948 wrote to memory of 380	2948	61e74fd8ef830_Tue23593425095.exe	control.exe
PID 380 wrote to memory of 1788	380	control.exe	rundll32.exe
PID 380 wrote to memory of 1788	380	control.exe	rundll32.exe
PID 380 wrote to memory of 1788	380	control.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\G1V6MSEY.nr
2⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\G1V6MSEY.nr
3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:3628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\G1V6MSEY.nr
MD5
e250cf99f94031b3d8c0305c471e3717

SHA1
8bb2e1684d15e45248d80631b569e6540fbd226b

SHA256
e0bc5b8c8419c6bab462eec5e09d347d9a42bbacbb828a9a8fdcc96997b15ff9

SHA512
793b9508464ef62b4032b32d4922a9c3e216194cc59148a7cf3d00c48dc9385e10057053cb5fa6d2f748a81bc16c044eb36ed8b9c817c3ffbcc9b26fbf4dbea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\G1V6MSEY.nr
MD5
62a5a318f21725b7b94e0a0ae4989ae6

SHA1
ba7307c158674490624eb4d5bdc67a122b9a062b

SHA256
35bc8e8ad44fbdd5e066ccd6ef624b4becc1dd4b43e69044c87bea07734e7a73

SHA512
ad135638f1272a1b550d564ce524c6c2a77f689e09966b14292f47689507f3affc756c5c70d46c7b8dc78a870248d4b28c7273ea307bb61df59214f0716b79e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\G1V6MSEY.nr
MD5
7893178a9130994186ac03ec644aa105

SHA1
ec0a3626cd9a80f2cac5609ba1bcc1e9c6a01981

SHA256
f72fb975eca58dad4d9cb76a3fe7d3e497c89894664c53ec1b6639917a96a58d

SHA512
c72e4328ecbcf342d46ab015d4f2e8a88fbfff3308942bcdb73578020d7a25517e15114ee40fd93654b06124c71dc507050c8a6c362518ca20baf9985883c3b1

Download Submit
memory/1788-135-0x0000000004E40000-0x000000002F889000-memory.dmp

Filesize
682.3MB

Download