9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168

Analysis

max time kernel
132s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe
Size

446KB
MD5

098730132576ecf009e4a68e1b2fa76a
SHA1

ba047a51170be449090f40e2f52acdd041f89e24
SHA256

9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168
SHA512

9a619f89031bb781ee1a5d51d686de55f1e71ca1ddbecb6bf4ac43f2b91c29c32f7f6c43086d5a19b6abda8564bde992144d16bd4fea3c57a61b8efcbfe83fce
SSDEEP

6144:P4lRkAehaKuqT+FEaVnhelxxs6ZgwTSmpO7EqJh8ADX+EhzNjDGLGfGmS1ZlwIp6:PkWAehJuqTixSOV7EqtRtqLeiZlw4oek

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4776	2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4776	2.exe
4776	2.exe
4776	2.exe
4776	2.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4776	4644	9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe	83
PID 4644 wrote to memory of 4776	4644	9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe	83
PID 4644 wrote to memory of 4776	4644	9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe	83
PID 4776 wrote to memory of 2692	4776	2.exe	53
PID 4776 wrote to memory of 2692	4776	2.exe	53
PID 4776 wrote to memory of 2692	4776	2.exe	53
PID 4776 wrote to memory of 2692	4776	2.exe	53

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2692
- C:\Users\Admin\AppData\Local\Temp\9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe
  "C:\Users\Admin\AppData\Local\Temp\9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Documents and Settings\2.exe
    "C:\Documents and Settings\2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\2.exe

Filesize
31KB

MD5
127209babfe00b21129b55d94aa9043c

SHA1
64b6e61d0727b939370619c441402aad326d94d2

SHA256
9701949c51b83279b667f4a4fbb400dcfbf2283e78f7243b2addc8dbac71c9dc

SHA512
48d3fc5d9e427b5bb3abd6925bae422434a61e577cd4debae82f6f51a6b3685c36c546acedba8009372284ca1c09b6073269af605d070a4f0b12c9b94dbce353

Download Submit
C:\Users\2.exe

Filesize
31KB

MD5
127209babfe00b21129b55d94aa9043c

SHA1
64b6e61d0727b939370619c441402aad326d94d2

SHA256
9701949c51b83279b667f4a4fbb400dcfbf2283e78f7243b2addc8dbac71c9dc

SHA512
48d3fc5d9e427b5bb3abd6925bae422434a61e577cd4debae82f6f51a6b3685c36c546acedba8009372284ca1c09b6073269af605d070a4f0b12c9b94dbce353

Download Submit
memory/2692-136-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/4776-135-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/4776-137-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download