308bbee84dbdd2475b150544ea9ef38bc144ebcfc56342d576863b594133f9c6

Analysis

max time kernel
167s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

308bbee84dbdd2475b150544ea9ef38bc144ebcfc56342d576863b594133f9c6.exe
Size

322KB
MD5

50fb640801ebfa43f9dee459d1396ec0
SHA1

af6edb6aa7af05273d3d5282f1e7a7590d54e83f
SHA256

308bbee84dbdd2475b150544ea9ef38bc144ebcfc56342d576863b594133f9c6
SHA512

e88c7a106869eb1b63f229f55a4c7c3cf498581b14e366de3a7f1027a651c027c19ce11136aa670a33f6eca6d1b4f18e1dcb3743a16c458db2e7c808549fe850
SSDEEP

6144:b1dlZro5yn7mwgHAzBKgdFGOdDR2zhBSMW82U9UgoQeVS7:b1dlZo5yn7mwiAlKgPGOdDRklW8r9Ucv

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1504	blockshost.exe
808	Code2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	308bbee84dbdd2475b150544ea9ef38bc144ebcfc56342d576863b594133f9c6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe
808	Code2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	blockshost.exe
Token: SeDebugPrivilege	808	Code2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1504	1936	308bbee84dbdd2475b150544ea9ef38bc144ebcfc56342d576863b594133f9c6.exe	79
PID 1936 wrote to memory of 1504	1936	308bbee84dbdd2475b150544ea9ef38bc144ebcfc56342d576863b594133f9c6.exe	79
PID 1936 wrote to memory of 1504	1936	308bbee84dbdd2475b150544ea9ef38bc144ebcfc56342d576863b594133f9c6.exe	79
PID 1936 wrote to memory of 808	1936	308bbee84dbdd2475b150544ea9ef38bc144ebcfc56342d576863b594133f9c6.exe	80
PID 1936 wrote to memory of 808	1936	308bbee84dbdd2475b150544ea9ef38bc144ebcfc56342d576863b594133f9c6.exe	80
PID 1936 wrote to memory of 808	1936	308bbee84dbdd2475b150544ea9ef38bc144ebcfc56342d576863b594133f9c6.exe	80

C:\Users\Admin\AppData\Local\Temp\308bbee84dbdd2475b150544ea9ef38bc144ebcfc56342d576863b594133f9c6.exe
"C:\Users\Admin\AppData\Local\Temp\308bbee84dbdd2475b150544ea9ef38bc144ebcfc56342d576863b594133f9c6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Extracted\blockshost.exe
  "C:\Extracted\blockshost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Extracted\Code2.exe
  "C:\Extracted\Code2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\Code2.exe

Filesize
21KB

MD5
fdcce7c57b267773962d1e4918dd8794

SHA1
2a00981f76dcd7ed64f25abc6aff73fc2f1868e3

SHA256
337d5fa7e11626665366480874f9293705a4fd17824576bc3dad277ddc145295

SHA512
70b782cbaf6efce4b1571ff96a471c95eb5088ede791d0e55c18cd237d4202e53a5c180cb28f70ed5b4670602d81113e5cc2cd7ae0ec06ef644a16f24966789a

Download Submit
C:\Extracted\Code2.exe

Filesize
21KB

MD5
fdcce7c57b267773962d1e4918dd8794

SHA1
2a00981f76dcd7ed64f25abc6aff73fc2f1868e3

SHA256
337d5fa7e11626665366480874f9293705a4fd17824576bc3dad277ddc145295

SHA512
70b782cbaf6efce4b1571ff96a471c95eb5088ede791d0e55c18cd237d4202e53a5c180cb28f70ed5b4670602d81113e5cc2cd7ae0ec06ef644a16f24966789a

Download Submit
C:\Extracted\blockshost.exe

Filesize
312KB

MD5
106c99f9860159b5dac3fca0377b5a6b

SHA1
25ec96142816d9e447f2ddf81a0f59ddf8c134c7

SHA256
22335d72fe441a23a57fbb9d87197a685e842456ffe798f50f88b40dbad45e69

SHA512
5f29799a6c384024a66dc9e9beef35bd23d32411f6894fe9047b8f7a8d9495e1dc680a5a478744f2c5a81fd242c56c66c14f2d8251412a71460fbe993d510511

Download Submit
C:\Extracted\blockshost.exe

Filesize
312KB

MD5
106c99f9860159b5dac3fca0377b5a6b

SHA1
25ec96142816d9e447f2ddf81a0f59ddf8c134c7

SHA256
22335d72fe441a23a57fbb9d87197a685e842456ffe798f50f88b40dbad45e69

SHA512
5f29799a6c384024a66dc9e9beef35bd23d32411f6894fe9047b8f7a8d9495e1dc680a5a478744f2c5a81fd242c56c66c14f2d8251412a71460fbe993d510511

Download Submit
memory/808-141-0x0000000004BB0000-0x0000000004C4C000-memory.dmp

Filesize
624KB

Download
memory/808-140-0x00000000001B0000-0x00000000001BE000-memory.dmp

Filesize
56KB

Download
memory/808-142-0x0000000005200000-0x00000000057A4000-memory.dmp

Filesize
5.6MB

Download
memory/808-143-0x0000000004C50000-0x0000000004CE2000-memory.dmp

Filesize
584KB

Download
memory/808-144-0x0000000004B60000-0x0000000004B6A000-memory.dmp

Filesize
40KB

Download
memory/808-145-0x0000000004E90000-0x0000000004EE6000-memory.dmp

Filesize
344KB

Download
memory/1504-136-0x00000000738A0000-0x0000000073E51000-memory.dmp

Filesize
5.7MB

Download
memory/1504-135-0x00000000738A0000-0x0000000073E51000-memory.dmp

Filesize
5.7MB

Download