97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef

Analysis

max time kernel
195s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe
Size

4.3MB
MD5

8786f856af7d279d72cf6cac110e3e69
SHA1

52cfb091bbcd1ac44a5bee5dd25707b646a126dc
SHA256

97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef
SHA512

1fd4401394aed60ea4ebc81275d9e33c73e4f79a2ddb34777779d6ce2456c121a5d7a3bff17f744c248a003b1d93cb22552d5e5fbfde3dc740fa67fe8afc123b

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe

Loads dropped DLL 10 IoCs

Processes:

97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe

pid	process
924	97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe
924	97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe
924	97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe
924	97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe
924	97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe
924	97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe
924	97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe
924	97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe
924	97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe
924	97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe

Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\branding\mediasrv.png powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5096 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe

pid process

204 powershell.exe
204 powershell.exe
204 powershell.exe
204 powershell.exe
204 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 204 powershell.exe

description	ioc	process
File created	C:\Windows\branding\mediasrv.png	powershell.exe

pid	process
5096	timeout.exe

pid	process
204	powershell.exe
204	powershell.exe
204	powershell.exe
204	powershell.exe
204	powershell.exe

description	pid	process
Token: SeDebugPrivilege	204	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.execmd.exe

description	pid	process	target process
PID 924 wrote to memory of 4404	924	97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe	cmd.exe
PID 924 wrote to memory of 4404	924	97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe	cmd.exe
PID 4404 wrote to memory of 5096	4404	cmd.exe	timeout.exe
PID 4404 wrote to memory of 5096	4404	cmd.exe	timeout.exe
PID 4404 wrote to memory of 204	4404	cmd.exe	powershell.exe
PID 4404 wrote to memory of 204	4404	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe
"C:\Users\Admin\AppData\Local\Temp\97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout -t 15& powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\gerta.ps1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\system32\timeout.exe
    timeout -t 15
    3⤵
    - Delays execution with timeout.exe
    PID:5096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\gerta.ps1
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gerta.ps1

Filesize
5.3MB

MD5
ba3470f3eb24a5ac1f94cf850ba299f0

SHA1
5c122ce2a7c3dd5be355e4c68fddde248c3642a0

SHA256
609fb89c303d7cdab7ad1a3059ec53f448354176f8c19ba7a4841ea4b2defb4b

SHA512
562f394717dffbd854c3d04569be2c57739f29a84ca152b3d413fa046679999f67fbba439c252fbac0121be6d11bda61f2a2d010461350b9e399d20669490918

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf476A.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf476A.tmp\blowfish.dll

Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf476A.tmp\blowfish.dll

Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf476A.tmp\blowfish.dll

Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf476A.tmp\blowfish.dll

Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf476A.tmp\blowfish.dll

Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf476A.tmp\blowfish.dll

Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf476A.tmp\blowfish.dll

Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf476A.tmp\blowfish.dll

Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf476A.tmp\nsUnzip.dll

Filesize
146KB

MD5
77a26c23948070dc012bba65e7f390aa

SHA1
7e112775770f9b3b24e2a238b5f7c66f8802e5d8

SHA256
4e4e429ecf1c49119a21c817899f64152b03b41b036fc1d92aee335043364c43

SHA512
2e7ffa4ed5c97f555e1b0d6f55ffcfd53cd28302fc77d95fdaea89e0b6b42e67e366331e52358e78e8266d079cc2ca3ea4c909197fb38a5b4c8151c7678d0065

Download Submit
memory/204-146-0x0000000000000000-mapping.dmp

Download
memory/204-147-0x0000024759A00000-0x0000024759A22000-memory.dmp

Filesize
136KB

Download
memory/204-149-0x00007FFD51000000-0x00007FFD51AC1000-memory.dmp

Filesize
10.8MB

Download
memory/924-132-0x00000000022D1000-0x00000000022D5000-memory.dmp

Filesize
16KB

Download
memory/4404-144-0x0000000000000000-mapping.dmp

Download
memory/5096-145-0x0000000000000000-mapping.dmp

Download