Analysis
-
max time kernel
149s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2022 06:34
Static task
static1
Behavioral task
behavioral1
Sample
ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe
Resource
win10v2004-20220721-en
General
-
Target
ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe
-
Size
2.3MB
-
MD5
a4dbaa2823de224f553e652fc084f6dc
-
SHA1
9889fb674e623d0cdfe96aeb6f464b20a0c2061f
-
SHA256
ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf
-
SHA512
5dbf389d0a37d07085e1fd2bcf51194cf723f738d9b780be7927db3df8a76f564a66de88514781a7cf2a2e947f99b50ea6dce7d38b5d2acf4e82bb2c9a81c3c3
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32.exepid process 5056 rundll32.exe 5056 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.execontrol.exerundll32.exeRunDll32.exedescription pid process target process PID 396 wrote to memory of 32 396 ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe control.exe PID 396 wrote to memory of 32 396 ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe control.exe PID 396 wrote to memory of 32 396 ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe control.exe PID 32 wrote to memory of 5056 32 control.exe rundll32.exe PID 32 wrote to memory of 5056 32 control.exe rundll32.exe PID 32 wrote to memory of 5056 32 control.exe rundll32.exe PID 5056 wrote to memory of 4512 5056 rundll32.exe RunDll32.exe PID 5056 wrote to memory of 4512 5056 rundll32.exe RunDll32.exe PID 4512 wrote to memory of 1920 4512 RunDll32.exe rundll32.exe PID 4512 wrote to memory of 1920 4512 RunDll32.exe rundll32.exe PID 4512 wrote to memory of 1920 4512 RunDll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe"C:\Users\Admin\AppData\Local\Temp\ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\1ufgQl.WY62⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\1ufgQl.WY63⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\1ufgQl.WY64⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\1ufgQl.WY65⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1ufgQl.WY6Filesize
641.3MB
MD5ae2402127ac09a2476a9982a015555cf
SHA14555445998c1560806c8c4b35a2eea17fe30f3cb
SHA256f3cca8c203e5aa875845d62237c00b87ac71ac61a9b21595f281413c31bd2002
SHA5126b9d4b26c42693c987d8a48871f1a84c72d0d65fd9443260847252dead0d1bcd1fd7e2e0d4c73f59c56143a69d7c9c68e64af87d5466529c65ebfe4744fed24f
-
C:\Users\Admin\AppData\Local\Temp\1ufgQl.Wy6Filesize
630.9MB
MD58208ff1e73fbe0740091a84d29583693
SHA1a3e7495438a8f8b2f946ca74b98b7fba0eca5775
SHA256d9f847629fec80f68929099742ebb91a486d6e7dc02aa838c9aa8ac35bc3da7d
SHA51214d1894475fc70f83c040da76d02bf65c15d9d38b056648c9c9a3e543698e59b4f96bec6757f894efea2525c14c2f3fe266ec5e492830cdc2108b200fe8ea533
-
C:\Users\Admin\AppData\Local\Temp\1ufgQl.Wy6Filesize
602.5MB
MD5551b26501b7e03b1c071abfd41ef9b5a
SHA12ee89f50c4e55ec1b07f804501dc349d26df0115
SHA256d4fe0bd63a534f10382a65668931ae2ca8441c71b102ba07d662e1de3ef3d028
SHA512bb4c212591be0b088fe5098d46d49ef0e468e964cb230614ad204f18415291866b18157c8b6cafe8728bd23e6c6c3b06750acc1ed106fdee7acc65b39089e1f6
-
C:\Users\Admin\AppData\Local\Temp\1ufgQl.Wy6Filesize
37.1MB
MD5e64f1664b6cba54ae1333eb3693b32ac
SHA18fa1721049bc2782a614c0d6c0ebf0473a4bee08
SHA25622ad9fb81ceef26672cded02c5f3957ee358daa4c61744c9d52ceb1752e4dea5
SHA512c2f7ce465ec71777ac2860552b8c58c8bc9ce45a733b39b082f0cbe42e59434537c8fb002632a9a917d821db939a97b8339439f0631384515b3c0cd32b63be8c
-
C:\Users\Admin\AppData\Local\Temp\1ufgQl.Wy6Filesize
43.6MB
MD52e314721c24994fe5dc05a28f3cc1e9a
SHA1ce7f67dde833c31054a79beba793b781c52b41f9
SHA2567f35e5a867ceadff596b2c477cf77bc0fe80ee88d1b1269a1aca327aa0f2fc04
SHA512e7000bc736335ebbe75f9acffc11fc09a3f8ecbbd2d62a84dfab871a4c125669ec225e242d20c2bc2a4a1fd8e81d298cbcffe594853626fd6457fe0a9cee49e0
-
memory/32-130-0x0000000000000000-mapping.dmp
-
memory/1920-143-0x0000000000000000-mapping.dmp
-
memory/1920-148-0x000000002ED80000-0x000000002EE74000-memory.dmpFilesize
976KB
-
memory/1920-147-0x000000002EB50000-0x000000002EC76000-memory.dmpFilesize
1.1MB
-
memory/1920-146-0x0000000002860000-0x0000000003860000-memory.dmpFilesize
16.0MB
-
memory/4512-142-0x0000000000000000-mapping.dmp
-
memory/5056-131-0x0000000000000000-mapping.dmp
-
memory/5056-139-0x000000002EFC0000-0x000000002F067000-memory.dmpFilesize
668KB
-
memory/5056-138-0x000000002EF00000-0x000000002EFBD000-memory.dmpFilesize
756KB
-
memory/5056-137-0x000000002EE00000-0x000000002EEF4000-memory.dmpFilesize
976KB
-
memory/5056-136-0x000000002D940000-0x000000002DA66000-memory.dmpFilesize
1.1MB
-
memory/5056-135-0x0000000002C90000-0x0000000003C90000-memory.dmpFilesize
16.0MB