27cdc7a67e361253a53acd2bbc2590c39900d172c4f5d748f6e374a64351e799

Analysis

max time kernel
159s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27cdc7a67e361253a53acd2bbc2590c39900d172c4f5d748f6e374a64351e799.exe
Size

345KB
MD5

1c15d63240a2028c17e9a11e6925abc9
SHA1

bb854bb964cc6fc7f59699e3f682d1d08a69f047
SHA256

27cdc7a67e361253a53acd2bbc2590c39900d172c4f5d748f6e374a64351e799
SHA512

7731801f2e626520d905c1146c2e28bcc208155e81101de3e4545258161ab6c87410fd207e20c9bad8b52990ad5632835d5ffc81e5fed4f827509bcd83605aa0
SSDEEP

6144:1G5k6n9Flbx3esxScA/RIIIIiIsjlBSAI5hIY4Z7+jZE:2VFlbx3esxScA/RIIIIiI8I5hIY4Z7+y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4844	Spam BoT v1.6.exe
4832	Crash___Burn.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	27cdc7a67e361253a53acd2bbc2590c39900d172c4f5d748f6e374a64351e799.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4832	Crash___Burn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 4844	2508	27cdc7a67e361253a53acd2bbc2590c39900d172c4f5d748f6e374a64351e799.exe	80
PID 2508 wrote to memory of 4844	2508	27cdc7a67e361253a53acd2bbc2590c39900d172c4f5d748f6e374a64351e799.exe	80
PID 2508 wrote to memory of 4832	2508	27cdc7a67e361253a53acd2bbc2590c39900d172c4f5d748f6e374a64351e799.exe	81
PID 2508 wrote to memory of 4832	2508	27cdc7a67e361253a53acd2bbc2590c39900d172c4f5d748f6e374a64351e799.exe	81
PID 2508 wrote to memory of 4832	2508	27cdc7a67e361253a53acd2bbc2590c39900d172c4f5d748f6e374a64351e799.exe	81

C:\Users\Admin\AppData\Local\Temp\27cdc7a67e361253a53acd2bbc2590c39900d172c4f5d748f6e374a64351e799.exe
"C:\Users\Admin\AppData\Local\Temp\27cdc7a67e361253a53acd2bbc2590c39900d172c4f5d748f6e374a64351e799.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\Spam BoT v1.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Spam BoT v1.6.exe"
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Users\Admin\AppData\Local\Temp\Crash___Burn.exe
  "C:\Users\Admin\AppData\Local\Temp\Crash___Burn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crash___Burn.exe

Filesize
24KB

MD5
43a8c589a4e3d23517e9f46331b19cd4

SHA1
b3e06daff13451d91ac5a3dfe5a330325608144c

SHA256
15013b543d90d1e60a16e5d4020877144b7b8a6ef269e57a5f1878b7abd78d62

SHA512
8863e0a22ededd93071b6615af3e60a0e38b685e622de9a83b3d502d1df7fd800ac2641ac1f5f6f2c4df372bc2533a10f8dfd48e2eebbc7cb77c005fa962f00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crash___Burn.exe

Filesize
24KB

MD5
43a8c589a4e3d23517e9f46331b19cd4

SHA1
b3e06daff13451d91ac5a3dfe5a330325608144c

SHA256
15013b543d90d1e60a16e5d4020877144b7b8a6ef269e57a5f1878b7abd78d62

SHA512
8863e0a22ededd93071b6615af3e60a0e38b685e622de9a83b3d502d1df7fd800ac2641ac1f5f6f2c4df372bc2533a10f8dfd48e2eebbc7cb77c005fa962f00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spam BoT v1.6.exe

Filesize
300KB

MD5
a704834fbe667b372d6266cbfa7b996b

SHA1
36f1794fb02db6bed28cc70284a6268cbb6ae8fa

SHA256
7dc3b2aab9ce75f15a6064a5e0bf7791c767d82157ee1256a1d505781d242284

SHA512
04b9ea91eb9946c872ff1dbdfd031b282965527d778a16007bda8f655fa5346cf3744ff2e725fad66aa90b97f174964f4c11a4c9b4e876489d4c93afe5bf14c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spam BoT v1.6.exe

Filesize
300KB

MD5
a704834fbe667b372d6266cbfa7b996b

SHA1
36f1794fb02db6bed28cc70284a6268cbb6ae8fa

SHA256
7dc3b2aab9ce75f15a6064a5e0bf7791c767d82157ee1256a1d505781d242284

SHA512
04b9ea91eb9946c872ff1dbdfd031b282965527d778a16007bda8f655fa5346cf3744ff2e725fad66aa90b97f174964f4c11a4c9b4e876489d4c93afe5bf14c5

Download Submit
memory/4832-135-0x0000000000000000-mapping.dmp

Download
memory/4844-132-0x0000000000000000-mapping.dmp

Download
memory/4844-140-0x00007FFCC24A0000-0x00007FFCC2ED6000-memory.dmp

Filesize
10.2MB

Download