97584e83257ef350bb41148b1b39c0863f156dc7645e726b3d2e0aa875562ab2

Analysis

max time kernel
96s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97584e83257ef350bb41148b1b39c0863f156dc7645e726b3d2e0aa875562ab2.exe
Size

27KB
MD5

66caddc35c3a24de2274f3a6a99bd570
SHA1

52205dd2f6735f59a6298b27705998134b865541
SHA256

97584e83257ef350bb41148b1b39c0863f156dc7645e726b3d2e0aa875562ab2
SHA512

cecb8dfdf8c7743385cbc6bfba6ad339333caf37d85badde8ec54799c849b23c40090756ea6f1292460d83fc8b5fc37126a2514ad529456c1edecc2817c2433d
SSDEEP

768:osJX+vzlGKec5+RZDKzepeNPmG6JX64yoXtC:osJElGKecg/DcepeNPmG6JXDh9C

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4324	updater.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	97584e83257ef350bb41148b1b39c0863f156dc7645e726b3d2e0aa875562ab2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 4324	5032	97584e83257ef350bb41148b1b39c0863f156dc7645e726b3d2e0aa875562ab2.exe	81
PID 5032 wrote to memory of 4324	5032	97584e83257ef350bb41148b1b39c0863f156dc7645e726b3d2e0aa875562ab2.exe	81
PID 5032 wrote to memory of 4324	5032	97584e83257ef350bb41148b1b39c0863f156dc7645e726b3d2e0aa875562ab2.exe	81

C:\Users\Admin\AppData\Local\Temp\97584e83257ef350bb41148b1b39c0863f156dc7645e726b3d2e0aa875562ab2.exe
"C:\Users\Admin\AppData\Local\Temp\97584e83257ef350bb41148b1b39c0863f156dc7645e726b3d2e0aa875562ab2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Users\Admin\AppData\Local\Temp\updater.exe
  "C:\Users\Admin\AppData\Local\Temp\updater.exe"
  2⤵
  - Executes dropped EXE
  PID:4324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\updater.exe

Filesize
27KB

MD5
35c74830dea0c2d0993a5cc7811ef500

SHA1
0e3853cc13f8573f83a1776e205239ec128b2ca9

SHA256
3f599e87deb4f5fe9cf1837b4d89b09b10c62b4567473845935245373b5cfc99

SHA512
89716c01d086ebd686f7ae2908263e5b88f844fac9ef5973ffabecda0ec5dc25a5c9bd103e102f239c077241dd2a791d81474421107b68a69af27631b37d0d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\updater.exe

Filesize
27KB

MD5
35c74830dea0c2d0993a5cc7811ef500

SHA1
0e3853cc13f8573f83a1776e205239ec128b2ca9

SHA256
3f599e87deb4f5fe9cf1837b4d89b09b10c62b4567473845935245373b5cfc99

SHA512
89716c01d086ebd686f7ae2908263e5b88f844fac9ef5973ffabecda0ec5dc25a5c9bd103e102f239c077241dd2a791d81474421107b68a69af27631b37d0d21

Download Submit
memory/5032-132-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/5032-133-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download