Analysis

  • max time kernel
    173s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    07/02/2022, 02:32

General

  • Target

    4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d.exe

  • Size

    1.8MB

  • MD5

    d1b922e5f97270ad56f1c314bbab51a2

  • SHA1

    a24a536042b233fd352572498234bc4653ab9006

  • SHA256

    4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d

  • SHA512

    1f9edec7d1cb9fa3e1a90510d9f40e084232164838557cd13b77e69d44ca5b54afef886ed95d4ef3bc97ec8d4785dce40b2ed9b1f3ff966453f6abb30cb60e98

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 45 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d.exe
    "C:\Users\Admin\AppData\Local\Temp\4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3596
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\310B.tmp\312B.bat C:\Users\Admin\AppData\Local\Temp\4dce648291d33a5eb98f21179e043dc2787fc2224458957bf000d8a26d65ae6d.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3284
      • C:\Users\Admin\AppData\Local\Temp\310B.tmp\2.exe
        2.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:3204
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:3752
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:1968

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads