1332c531a516dcf67de1df3ba0e4df4a20224ea4ebadc2fcc4b584964b31b652

Analysis

max time kernel
148s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1332c531a516dcf67de1df3ba0e4df4a20224ea4ebadc2fcc4b584964b31b652.exe
Size

1.1MB
MD5

39c75a18f0003d351ba8878ae634ed5c
SHA1

59648a14cd51fba0240f64e2ed6ae72c367f0a1d
SHA256

1332c531a516dcf67de1df3ba0e4df4a20224ea4ebadc2fcc4b584964b31b652
SHA512

0b0dee836de6ff9abac4aceadde67c1286dda2e2a2a23f1b604e79e359a48d98f1a040817b4a0eb219ffecb089e435c78792bfe27d5001155ca686c3edeb0314
SSDEEP

24576:NT5wsPgKy0f2S7O5FlUpJYhQncFnvbCh8w:Nus+0f2SM

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
736	LOL.exe
3280	server_ff4.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1332c531a516dcf67de1df3ba0e4df4a20224ea4ebadc2fcc4b584964b31b652.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
736	LOL.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 736	4132	1332c531a516dcf67de1df3ba0e4df4a20224ea4ebadc2fcc4b584964b31b652.exe	81
PID 4132 wrote to memory of 736	4132	1332c531a516dcf67de1df3ba0e4df4a20224ea4ebadc2fcc4b584964b31b652.exe	81
PID 4132 wrote to memory of 736	4132	1332c531a516dcf67de1df3ba0e4df4a20224ea4ebadc2fcc4b584964b31b652.exe	81
PID 4132 wrote to memory of 3280	4132	1332c531a516dcf67de1df3ba0e4df4a20224ea4ebadc2fcc4b584964b31b652.exe	82
PID 4132 wrote to memory of 3280	4132	1332c531a516dcf67de1df3ba0e4df4a20224ea4ebadc2fcc4b584964b31b652.exe	82
PID 4132 wrote to memory of 3280	4132	1332c531a516dcf67de1df3ba0e4df4a20224ea4ebadc2fcc4b584964b31b652.exe	82

C:\Users\Admin\AppData\Local\Temp\1332c531a516dcf67de1df3ba0e4df4a20224ea4ebadc2fcc4b584964b31b652.exe
"C:\Users\Admin\AppData\Local\Temp\1332c531a516dcf67de1df3ba0e4df4a20224ea4ebadc2fcc4b584964b31b652.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Users\Admin\AppData\Local\LOL.exe
  "C:\Users\Admin\AppData\Local\LOL.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:736
- C:\Users\Admin\AppData\Local\server_ff4.exe
  "C:\Users\Admin\AppData\Local\server_ff4.exe"
  2⤵
  - Executes dropped EXE
  PID:3280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LOL.exe

Filesize
584KB

MD5
faeba776a31577433922a73082aaa37b

SHA1
a7b0030ddb9b3ae2c7175025d4818f9b2a751144

SHA256
9ea32a5cc6884ca0f02074fc2033f41c32bfeee0ab3609a40dbb3ec29cae4c4f

SHA512
2162e2e01842b999214f5a507361655e9e01fc793352be19c3d0d726697e2a028bd632774ecfb1ef39d362c9e78bc732477af64c174fbf24f16120de59483d29

Download Submit
C:\Users\Admin\AppData\Local\LOL.exe

Filesize
584KB

MD5
faeba776a31577433922a73082aaa37b

SHA1
a7b0030ddb9b3ae2c7175025d4818f9b2a751144

SHA256
9ea32a5cc6884ca0f02074fc2033f41c32bfeee0ab3609a40dbb3ec29cae4c4f

SHA512
2162e2e01842b999214f5a507361655e9e01fc793352be19c3d0d726697e2a028bd632774ecfb1ef39d362c9e78bc732477af64c174fbf24f16120de59483d29

Download Submit
C:\Users\Admin\AppData\Local\server_ff4.exe

Filesize
114KB

MD5
bda08d5b013c75f08aaa7f9cdda76e63

SHA1
edd0444a95f7d798ea3750168376019432c98582

SHA256
8ee4659e085cc362aa8f31e8011ebf35572ef594504add53e42e163ababa497c

SHA512
f27bef1b51964b68efb9f268d21c6e0d4222b85ca3155a13d2050950384c16d67325b5f822db333067e9e889db97d56066702dbff9b751ba9ab66adce8f18348

Download Submit
C:\Users\Admin\AppData\Local\server_ff4.exe

Filesize
114KB

MD5
bda08d5b013c75f08aaa7f9cdda76e63

SHA1
edd0444a95f7d798ea3750168376019432c98582

SHA256
8ee4659e085cc362aa8f31e8011ebf35572ef594504add53e42e163ababa497c

SHA512
f27bef1b51964b68efb9f268d21c6e0d4222b85ca3155a13d2050950384c16d67325b5f822db333067e9e889db97d56066702dbff9b751ba9ab66adce8f18348

Download Submit