Analysis
-
max time kernel
158s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 07:52
Static task
static1
Behavioral task
behavioral1
Sample
87953bdf18ba88061cf28ad17116b56f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
87953bdf18ba88061cf28ad17116b56f.exe
Resource
win10v2004-20220414-en
General
-
Target
87953bdf18ba88061cf28ad17116b56f.exe
-
Size
1.9MB
-
MD5
87953bdf18ba88061cf28ad17116b56f
-
SHA1
bc04b30d0e7ca0fc34b1d507ab4b991e0cc5dbc6
-
SHA256
9ad06b0e000800a33d381949658dbd0bfd7c7f1025aa5c81621b55f2f69a7a3f
-
SHA512
19d8520c62da97a0a793c1f9eb17ae5865ea3d6d9e4734ac5e4069c864f52fccf06d5961c136095c73e7ee6c3ce1e9ae0038f32e8941f5aa2599327111b386c3
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
87953bdf18ba88061cf28ad17116b56f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 87953bdf18ba88061cf28ad17116b56f.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exepid process 1856 regsvr32.exe 1856 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
87953bdf18ba88061cf28ad17116b56f.exedescription pid process target process PID 2772 wrote to memory of 1856 2772 87953bdf18ba88061cf28ad17116b56f.exe regsvr32.exe PID 2772 wrote to memory of 1856 2772 87953bdf18ba88061cf28ad17116b56f.exe regsvr32.exe PID 2772 wrote to memory of 1856 2772 87953bdf18ba88061cf28ad17116b56f.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87953bdf18ba88061cf28ad17116b56f.exe"C:\Users\Admin\AppData\Local\Temp\87953bdf18ba88061cf28ad17116b56f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /U /S V8NgH.K2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\V8NgH.KFilesize
681.1MB
MD5116f558ce26d856dda8875228d40cd64
SHA1aa9e683d1bd584029679b8a6463e11b30a13190d
SHA2567dae8703accc936872ac739653b7829a78c28fd8a5ce8e17deb10810e5c634d8
SHA512b3865844e4717cd1849924bc82214f1ff289971c1c5b49e02e9af611264e06ec0f13adebbf2c3631537b36a250083087754b1b45a7a5f48a179e0becf7e0267f
-
C:\Users\Admin\AppData\Local\Temp\v8NgH.KFilesize
682.8MB
MD5dec75150ae1a88326cfbba1ad4d90345
SHA165b35717ab19045a80017968c353880aa01fe08f
SHA256346f5d0021dbd8ffeb55fb83e6841c6442c8720c615cba5b9b2e469d1306d6b7
SHA5123d319e1438b1af5900df98dc05e443d0bfb8e0a008d0e145a430fb0c8dfd0fe9864da94f9c4ed3194633daf7ca6fb1aef71ffda8b8fc64e962050808a7d35ebd
-
C:\Users\Admin\AppData\Local\Temp\v8NgH.KFilesize
682.8MB
MD5dec75150ae1a88326cfbba1ad4d90345
SHA165b35717ab19045a80017968c353880aa01fe08f
SHA256346f5d0021dbd8ffeb55fb83e6841c6442c8720c615cba5b9b2e469d1306d6b7
SHA5123d319e1438b1af5900df98dc05e443d0bfb8e0a008d0e145a430fb0c8dfd0fe9864da94f9c4ed3194633daf7ca6fb1aef71ffda8b8fc64e962050808a7d35ebd
-
memory/1856-131-0x0000000000000000-mapping.dmp
-
memory/1856-135-0x0000000002100000-0x0000000003100000-memory.dmpFilesize
16.0MB
-
memory/1856-136-0x000000002D100000-0x000000002D1DF000-memory.dmpFilesize
892KB
-
memory/1856-137-0x000000002D2A0000-0x000000002D35B000-memory.dmpFilesize
748KB
-
memory/1856-138-0x000000002D360000-0x000000002D414000-memory.dmpFilesize
720KB
-
memory/1856-139-0x000000002D420000-0x000000002D4C0000-memory.dmpFilesize
640KB