52ead4229ecc08e33fdcf3f1c213fe5161068e01c82f8510a0a5e71fac63bbb4

Analysis

max time kernel
93s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2022, 18:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

52ead4229ecc08e33fdcf3f1c213fe5161068e01c82f8510a0a5e71fac63bbb4.exe
Size

421KB
MD5

4616ce9370920b2ca0408c0942a37925
SHA1

52bc1c7c0c54818652a7c2c568ad4776c709c0e6
SHA256

52ead4229ecc08e33fdcf3f1c213fe5161068e01c82f8510a0a5e71fac63bbb4
SHA512

4ebd8d4ca8c853c2acbf6643b568a64df0e0244a48ec223f12bef186962175b81ff80529953ec6421429c4256e382bb125cbc049926776835b1fa2edda98d8b9
SSDEEP

12288:DjODTivE9GzlV3yPRpb+Wvo3/nZFozAKR4pL:DjOysIhV3ORpbBofZFv7pL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
540	AutoInst.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	52ead4229ecc08e33fdcf3f1c213fe5161068e01c82f8510a0a5e71fac63bbb4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
540	AutoInst.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 540	536	52ead4229ecc08e33fdcf3f1c213fe5161068e01c82f8510a0a5e71fac63bbb4.exe	82
PID 536 wrote to memory of 540	536	52ead4229ecc08e33fdcf3f1c213fe5161068e01c82f8510a0a5e71fac63bbb4.exe	82
PID 536 wrote to memory of 540	536	52ead4229ecc08e33fdcf3f1c213fe5161068e01c82f8510a0a5e71fac63bbb4.exe	82

C:\Users\Admin\AppData\Local\Temp\52ead4229ecc08e33fdcf3f1c213fe5161068e01c82f8510a0a5e71fac63bbb4.exe
"C:\Users\Admin\AppData\Local\Temp\52ead4229ecc08e33fdcf3f1c213fe5161068e01c82f8510a0a5e71fac63bbb4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\7zS6C99.tmp\AutoInst.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS6C99.tmp\AutoInst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS6C99.tmp\AutoInst.exe

Filesize
805KB

MD5
6709897005120aec5674859cc20b1db3

SHA1
d6060f0989d6aea4b51f7dde439ca5a21fbc6639

SHA256
ebddf94172297bcf26fb6142f599de1facb43ab81e8fdf0d83fa79ad2f7ff5c8

SHA512
a753ff5121b2c64d473542bee51a90bb953e65879c9cd44812b4b0fd921aa7e19012341b05ccf6fd58c05c3f34715b671c6924526c165ba2aaf3804eb0b421b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6C99.tmp\AutoInst.exe

Filesize
805KB

MD5
6709897005120aec5674859cc20b1db3

SHA1
d6060f0989d6aea4b51f7dde439ca5a21fbc6639

SHA256
ebddf94172297bcf26fb6142f599de1facb43ab81e8fdf0d83fa79ad2f7ff5c8

SHA512
a753ff5121b2c64d473542bee51a90bb953e65879c9cd44812b4b0fd921aa7e19012341b05ccf6fd58c05c3f34715b671c6924526c165ba2aaf3804eb0b421b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6C99.tmp\AutoInst.ini

Filesize
163B

MD5
d9c4f59afc8c3cb54e7faf0bd9101829

SHA1
ffd6813a22da469c64f901988bbfbf30fce84911

SHA256
4274c2468fa382d5e2b4a91e76c8bfa66caaf7d1d44e2d36b896987350ad8c62

SHA512
d049bc630f0cef5a291ca65efe3ffb2b8cb64452bf67ed47bf8b8b30fa72cdc7e8dc4c1d2a8a881856d953c118d00b56e71967a59f5a1bc8e05a8f94e48afdf9

Download Submit