Analysis
-
max time kernel
2s -
max time network
27s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-01-2022 20:03
General
-
Target
9618345aad276496e7d33d390a0cdf5e.exe
-
Size
322KB
-
MD5
9618345aad276496e7d33d390a0cdf5e
-
SHA1
49ea625e58a17a1992c767fc7afb137dbfd0419a
-
SHA256
dc9ddeb5493a529530acf29a62a5de10bef65ffb22ebea264818058bf9223ae6
-
SHA512
9c4d96bba45a6e589d597277d8454a89781a53b0b6419b4f4ef04f02576a424f7efdc5a9c4f5a426742544d6d054b1ab14aebad6a6a6a355c8c3a0345778ca6d
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9618345aad276496e7d33d390a0cdf5e.exe"C:\Users\Admin\AppData\Local\Temp\9618345aad276496e7d33d390a0cdf5e.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABpAG4AZwAgAHkAYQBoAG8AbwAuAGMAbwBtADsAIABwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwA=2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3708-130-0x0000000000D50000-0x0000000000DA8000-memory.dmpFilesize
352KB
-
memory/3708-131-0x0000000005BF0000-0x0000000006194000-memory.dmpFilesize
5.6MB