4bb31847846180bf78033b5eb7761b874b114f6dd086862472915be761fc042a

Analysis

max time kernel
149s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
09-06-2022 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS8A52FD1B/62a1ea2a20759_b7a66dc968.exe
Size

1.6MB
MD5

c4bc22a23300c3e7db1fae03e00610a5
SHA1

0f8d2471d510434d0338fa204c7863a5a6e17190
SHA256

d866f133333b259ea1aaaa838bd6f26a28798d440ce4531cd90b0497ea92d869
SHA512

fa629c9f18ff2cfd07c4da7065a544d84b4dc823c8b542863525eafcf9ad62a74f5f1fdbd6e1f0609135f258b0ffe01b136b614e8bd0d669d0a5ea4052bd3fc6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

62a1ea2a20759_b7a66dc968.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	62a1ea2a20759_b7a66dc968.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

5048 rundll32.exe
5048 rundll32.exe
1600 rundll32.exe
1600 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
5048	rundll32.exe
5048	rundll32.exe
1600	rundll32.exe
1600	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

62a1ea2a20759_b7a66dc968.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 5012 wrote to memory of 1920	5012	62a1ea2a20759_b7a66dc968.exe	control.exe
PID 5012 wrote to memory of 1920	5012	62a1ea2a20759_b7a66dc968.exe	control.exe
PID 5012 wrote to memory of 1920	5012	62a1ea2a20759_b7a66dc968.exe	control.exe
PID 1920 wrote to memory of 5048	1920	control.exe	rundll32.exe
PID 1920 wrote to memory of 5048	1920	control.exe	rundll32.exe
PID 1920 wrote to memory of 5048	1920	control.exe	rundll32.exe
PID 5048 wrote to memory of 216	5048	rundll32.exe	RunDll32.exe
PID 5048 wrote to memory of 216	5048	rundll32.exe	RunDll32.exe
PID 216 wrote to memory of 1600	216	RunDll32.exe	rundll32.exe
PID 216 wrote to memory of 1600	216	RunDll32.exe	rundll32.exe
PID 216 wrote to memory of 1600	216	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7zS8A52FD1B\62a1ea2a20759_b7a66dc968.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8A52FD1B\62a1ea2a20759_b7a66dc968.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\PHF_.hT
2⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\PHF_.hT
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\PHF_.hT
4⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\PHF_.hT
5⤵
- Loads dropped DLL
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PHF_.hT
Filesize
137.9MB

MD5
fa647e620799308b2d8eb2c74e0095eb

SHA1
a949626be4e120ef64efbea14e712b34ca20f2f8

SHA256
e93363796361f33d9dae8de45da84cbf7498414897630c29ebfdfce965df4fc8

SHA512
c5b4535245051f5cc585a124d78b87e2536321fc51a1ca0b4df0057e8421b01f08e5b684b636ca2563305584d83991f7f8f4d79b3c6d4ea0154e42fb6b2083f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\phF_.hT
Filesize
132.4MB

MD5
5ba414c1d62fcaed282b9287cf60bc0f

SHA1
8a64c15271c11b11e30198f766d18efc31435c0b

SHA256
25a72556d4856118a537928a145a71f1797da6853d921b38b372c01e28b0e8d1

SHA512
a20482a220aee6b7f74eec33191278c089c2da4114814c44ee489bff798a9c2e7448fc08f25d5a5ef3d8236f0957c621880f262f1b456447d2eb3c6090573e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\phF_.hT
Filesize
132.9MB

MD5
54e2b392025a0198d5f61559303cb3e5

SHA1
dd92de59b3b3c2c4d28a2a5a1e4666a15ce0a845

SHA256
d632ea3c517c6357fbc3af4266cfb5ba70fa773073d75dd37da75c19834cd090

SHA512
49ff9dfe46782e923b0d4c51431eb71a5a36137e757938b93fdaa2c3a8c3fa53b160b69f89866d618b28240e392a9ff87aa4209873484a8457b73428275841ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\phF_.hT
Filesize
96.3MB

MD5
cc031e99c0e4f71958de3a96d9568902

SHA1
cb75e3bf9431dc1e548a4d5538a5613b3feb6275

SHA256
f2645aa9c7325aa682063711bd701930b6f6dcfe1c8b67ec74f800271a2078a2

SHA512
ee244d2a13d4c618bcf84980cd59e4e80f412b419c598fce23064fd9d03c74ef97d8c6d2e35858bf7f936f7b1432863e376e6bc108bae31afd03c736cc9ceb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\phF_.hT
Filesize
97.3MB

MD5
5d22b49bdb01bc37eb3f6bb672c91814

SHA1
a17d7c8835617f8f8b45db7b53de50d835f6f9b2

SHA256
2e11408aba222e73dc538341fc793a6aaf11644109221cea7a8858f264166d19

SHA512
4886ca37f2517c72d4f63afdb0e1f3f8084d192762d59b5f7522517b30fe36155574520b30fef14fc2840d2e895c89251f9f958127f2acea5dc6f4dfab9d50cc

Download Submit
memory/216-142-0x0000000000000000-mapping.dmp

Download
memory/1600-151-0x000000002E050000-0x000000002E0F1000-memory.dmp

Filesize
644KB

Download
memory/1600-149-0x000000002DF90000-0x000000002E046000-memory.dmp

Filesize
728KB

Download
memory/1600-148-0x000000002DED0000-0x000000002DF8C000-memory.dmp

Filesize
752KB

Download
memory/1600-147-0x000000002DD50000-0x000000002DE0D000-memory.dmp

Filesize
756KB

Download
memory/1600-146-0x0000000003170000-0x0000000004170000-memory.dmp

Filesize
16.0MB

Download
memory/1600-143-0x0000000000000000-mapping.dmp

Download
memory/1600-153-0x000000002DED0000-0x000000002DF8C000-memory.dmp

Filesize
752KB

Download
memory/1920-130-0x0000000000000000-mapping.dmp

Download
memory/5048-135-0x0000000002630000-0x0000000003630000-memory.dmp

Filesize
16.0MB

Download
memory/5048-140-0x000000002D4A0000-0x000000002D541000-memory.dmp

Filesize
644KB

Download
memory/5048-139-0x000000002D4A0000-0x000000002D541000-memory.dmp

Filesize
644KB

Download
memory/5048-138-0x000000002D3E0000-0x000000002D496000-memory.dmp

Filesize
728KB

Download
memory/5048-137-0x000000002D320000-0x000000002D3DC000-memory.dmp

Filesize
752KB

Download
memory/5048-136-0x000000002D1A0000-0x000000002D25D000-memory.dmp

Filesize
756KB

Download
memory/5048-131-0x0000000000000000-mapping.dmp

Download
memory/5048-154-0x000000002D320000-0x000000002D3DC000-memory.dmp

Filesize
752KB

Download