585b373f36a4d912f73573d4cf1d57f67c5a360cdd297103c39935e9791721fd

Analysis

max time kernel
63s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2022, 03:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

585b373f36a4d912f73573d4cf1d57f67c5a360cdd297103c39935e9791721fd.exe
Size

1017KB
MD5

3ad3726c85456202b250309926d32036
SHA1

0b336cc32738a5a850dec451b66efa8875922e6c
SHA256

585b373f36a4d912f73573d4cf1d57f67c5a360cdd297103c39935e9791721fd
SHA512

43bdad9f7a6ce60fb4cb2088794f6d1763c66a9286db12a54a9f0bb9d3ee843f55e6203b6517315e447d31ce280520b7616fb62ff7b7c758b2412bc7b27e6f99
SSDEEP

24576:lOXFn7n+br3U4UUU3UUUz0Z5jK9NW+1MCRNGzSQ7//6oK8rqzpcbGvYkQ7Ft6Y1o:oVD+bTU4UUU3UUUwnK9RMCRN38lK5zpx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3168	DlpInstall.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	DlpInstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 3168	2364	585b373f36a4d912f73573d4cf1d57f67c5a360cdd297103c39935e9791721fd.exe	79
PID 2364 wrote to memory of 3168	2364	585b373f36a4d912f73573d4cf1d57f67c5a360cdd297103c39935e9791721fd.exe	79
PID 2364 wrote to memory of 3168	2364	585b373f36a4d912f73573d4cf1d57f67c5a360cdd297103c39935e9791721fd.exe	79
PID 3168 wrote to memory of 4904	3168	DlpInstall.exe	80
PID 3168 wrote to memory of 4904	3168	DlpInstall.exe	80
PID 3168 wrote to memory of 4904	3168	DlpInstall.exe	80

C:\Users\Admin\AppData\Local\Temp\585b373f36a4d912f73573d4cf1d57f67c5a360cdd297103c39935e9791721fd.exe
"C:\Users\Admin\AppData\Local\Temp\585b373f36a4d912f73573d4cf1d57f67c5a360cdd297103c39935e9791721fd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\7zSC390DEF6\DlpInstall.exe
  .\DlpInstall.exe -install
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\ProgramData\edpdlp /T /E /G everyone:F
    3⤵
    PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC390DEF6\DlpInstall.exe

Filesize
772KB

MD5
da61773bab1ec36b796236516afaa057

SHA1
2bae72104c31b8037f6fa533e631c2b904fe5bf4

SHA256
437596433e27eb216b71cb406e9b9ca42c288d9cf16af6b67e253010c3efe43d

SHA512
af741e800d03e084d0f139a1bf6f1899634259cee472ed5c43c85cd4b57c24a38cc077eb55dce5762f87fa90f1cfb7eada7fdb218c274dd7f52929056bcb2349

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC390DEF6\DlpInstall.exe

Filesize
772KB

MD5
da61773bab1ec36b796236516afaa057

SHA1
2bae72104c31b8037f6fa533e631c2b904fe5bf4

SHA256
437596433e27eb216b71cb406e9b9ca42c288d9cf16af6b67e253010c3efe43d

SHA512
af741e800d03e084d0f139a1bf6f1899634259cee472ed5c43c85cd4b57c24a38cc077eb55dce5762f87fa90f1cfb7eada7fdb218c274dd7f52929056bcb2349

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC390DEF6\dlpinstallcfg.xml

Filesize
7KB

MD5
64c928bd4a321bbdf43154f6496d8f49

SHA1
53bc2885e5b90b86787ce82a93eefab0f015c17c

SHA256
ec35f5f3b4c39a6c908412f48a1680ed6285357787ae0a809e01d57127db0a19

SHA512
a749a7198d7aeab12740f798d8d1269192e5088f8365ac1575a6a11d145a3aba938f9126873ec148455e1bddf2a0e3a2ab8f38559ad2cd4b6996394ad2ea2caf

Download Submit