29568cfbff9f53db6fb3ef987853d0cda05b0c1e1135213e6b5cadd643471934

Analysis

max time kernel
128s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29568cfbff9f53db6fb3ef987853d0cda05b0c1e1135213e6b5cadd643471934.exe
Size

20KB
MD5

909a3a2a46c7ebdd3fc1b382a7ce7a90
SHA1

745a6a2f4dbe5f123194ffcba82544e66c78a287
SHA256

29568cfbff9f53db6fb3ef987853d0cda05b0c1e1135213e6b5cadd643471934
SHA512

a413a70a3570495cda6e841903882726b2ff7bbaa022d7add57820b3cf636c6140001ee683e5c097443bc30a1ea6d98e40587b42ca544f98642b64b3b241b1b7
SSDEEP

384:uHdZNg+Ml2+0fkkzWUHh1DjHXRrs905INeZCFtejlIko5dN127BFVn2p4lAnZ8Or:Q3NXvkkRfDjHXRrs9sINeZEtejlIkoLB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2384	realupdater.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	29568cfbff9f53db6fb3ef987853d0cda05b0c1e1135213e6b5cadd643471934.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2384	3044	29568cfbff9f53db6fb3ef987853d0cda05b0c1e1135213e6b5cadd643471934.exe	84
PID 3044 wrote to memory of 2384	3044	29568cfbff9f53db6fb3ef987853d0cda05b0c1e1135213e6b5cadd643471934.exe	84
PID 3044 wrote to memory of 2384	3044	29568cfbff9f53db6fb3ef987853d0cda05b0c1e1135213e6b5cadd643471934.exe	84

C:\Users\Admin\AppData\Local\Temp\29568cfbff9f53db6fb3ef987853d0cda05b0c1e1135213e6b5cadd643471934.exe
"C:\Users\Admin\AppData\Local\Temp\29568cfbff9f53db6fb3ef987853d0cda05b0c1e1135213e6b5cadd643471934.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\realupdater.exe
  "C:\Users\Admin\AppData\Local\Temp\realupdater.exe"
  2⤵
  - Executes dropped EXE
  PID:2384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\realupdater.exe

Filesize
20KB

MD5
20e63b6de7b324a7c15eefb865c3962d

SHA1
a7409cd141f8aee8e18216f25505723b90d47bb5

SHA256
95ae971b5be5a2f426aba4eb76e425198d9c6f7334790a92c1d0874195ac4fb8

SHA512
9e66422630e61fe7059efc5f7c3031f0c9a1a80abe45695b9c5f7b3d3cf6f6f0cd994081e3a3ab3fda052e79184b677a068354328776e15ca1cde66d4d53f08a

Download Submit
C:\Users\Admin\AppData\Local\Temp\realupdater.exe

Filesize
20KB

MD5
20e63b6de7b324a7c15eefb865c3962d

SHA1
a7409cd141f8aee8e18216f25505723b90d47bb5

SHA256
95ae971b5be5a2f426aba4eb76e425198d9c6f7334790a92c1d0874195ac4fb8

SHA512
9e66422630e61fe7059efc5f7c3031f0c9a1a80abe45695b9c5f7b3d3cf6f6f0cd994081e3a3ab3fda052e79184b677a068354328776e15ca1cde66d4d53f08a

Download Submit
memory/2384-132-0x0000000000000000-mapping.dmp

Download
memory/2384-136-0x0000000000500000-0x0000000000509000-memory.dmp

Filesize
36KB

Download
memory/3044-135-0x0000000000320000-0x0000000000329000-memory.dmp

Filesize
36KB

Download