45d3ee96988463c017553fbb2cfee6a2df1ab6043d10710885c7e735f320ae17

Analysis

max time kernel
112s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2022, 12:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

45d3ee96988463c017553fbb2cfee6a2df1ab6043d10710885c7e735f320ae17.exe
Size

1.8MB
MD5

2ed4641a456132785d559f1a35bb7f32
SHA1

1db822c014dc13c3c4e3774d9e68a410ed6190d7
SHA256

45d3ee96988463c017553fbb2cfee6a2df1ab6043d10710885c7e735f320ae17
SHA512

67c183e8a6fa8c5cfd3be7b1473fe297dbeecb5624fd4f086c8b59fc19ac19260d69b323cf248b35706124bd130caf339cc4d24d824b771bbd757d68958eb164
SSDEEP

49152:S3dem+vz9uXqZLzUK27p80Xu94v6ILkVc:SKZG0LzfEp80BCkr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	45d3ee96988463c017553fbb2cfee6a2df1ab6043d10710885c7e735f320ae17.exe

Loads dropped DLL 2 IoCs

pid	Process
3056	regsvr32.exe
3056	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 3056	736	45d3ee96988463c017553fbb2cfee6a2df1ab6043d10710885c7e735f320ae17.exe	82
PID 736 wrote to memory of 3056	736	45d3ee96988463c017553fbb2cfee6a2df1ab6043d10710885c7e735f320ae17.exe	82
PID 736 wrote to memory of 3056	736	45d3ee96988463c017553fbb2cfee6a2df1ab6043d10710885c7e735f320ae17.exe	82

C:\Users\Admin\AppData\Local\Temp\45d3ee96988463c017553fbb2cfee6a2df1ab6043d10710885c7e735f320ae17.exe
"C:\Users\Admin\AppData\Local\Temp\45d3ee96988463c017553fbb2cfee6a2df1ab6043d10710885c7e735f320ae17.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" SQSF.8_ /s
  2⤵
  - Loads dropped DLL
  PID:3056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SQSF.8_

Filesize
1.8MB

MD5
ae08305d9df641845c4214f993adc5b6

SHA1
106822f18c3cb5d8445dba412b9d415d266923bf

SHA256
55904dcfebcaa4e5a126b7e74c4a89c4ac9a0b73a3173813e6aa87208ebafb76

SHA512
50a8b06efd93e8c110543dc509c0e5a69babebba12f9cde88a75442ffb737b3a45a6cf969968d96605b75fa5b79155187baeda2311d78d2d295f8a769c84b88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SqsF.8_

Filesize
1.8MB

MD5
ae08305d9df641845c4214f993adc5b6

SHA1
106822f18c3cb5d8445dba412b9d415d266923bf

SHA256
55904dcfebcaa4e5a126b7e74c4a89c4ac9a0b73a3173813e6aa87208ebafb76

SHA512
50a8b06efd93e8c110543dc509c0e5a69babebba12f9cde88a75442ffb737b3a45a6cf969968d96605b75fa5b79155187baeda2311d78d2d295f8a769c84b88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SqsF.8_

Filesize
1.8MB

MD5
ae08305d9df641845c4214f993adc5b6

SHA1
106822f18c3cb5d8445dba412b9d415d266923bf

SHA256
55904dcfebcaa4e5a126b7e74c4a89c4ac9a0b73a3173813e6aa87208ebafb76

SHA512
50a8b06efd93e8c110543dc509c0e5a69babebba12f9cde88a75442ffb737b3a45a6cf969968d96605b75fa5b79155187baeda2311d78d2d295f8a769c84b88a

Download Submit
memory/3056-136-0x0000000002370000-0x0000000002537000-memory.dmp

Filesize
1.8MB

Download
memory/3056-138-0x0000000002950000-0x0000000002A48000-memory.dmp

Filesize
992KB

Download
memory/3056-137-0x0000000002720000-0x000000000284F000-memory.dmp

Filesize
1.2MB

Download
memory/3056-139-0x0000000002A60000-0x0000000002B22000-memory.dmp

Filesize
776KB

Download
memory/3056-140-0x0000000002B40000-0x0000000002BED000-memory.dmp

Filesize
692KB

Download
memory/3056-141-0x0000000002B40000-0x0000000002BED000-memory.dmp

Filesize
692KB

Download
memory/3056-143-0x0000000002950000-0x0000000002A48000-memory.dmp

Filesize
992KB

Download