dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645

Analysis

max time kernel
134s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 19:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe
Size

458KB
MD5

9633e7b2c2a61723bea584fce75d82b0
SHA1

bbd86304cde43b505204d20cfb86bcf288dce44e
SHA256

dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645
SHA512

cd1d2945b31e27dad0c242c380413fac898a187e267ec83259b53ca480c00e7ee1d74935de6114f82061b1c209dca1a975f28ec40f24454b4ae0590623c98fa2
SSDEEP

12288:fbWpulQyhqDM2RtRXo6TtKE3FySt0AQXquLYXrWn:DWpxyhqDMKjXFTtROKbWn

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4188	readme.exe
1236	my_70026.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4016-132-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4016-136-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	readme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 4188	4016	dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe	83
PID 4016 wrote to memory of 4188	4016	dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe	83
PID 4016 wrote to memory of 4188	4016	dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe	83
PID 4188 wrote to memory of 1236	4188	readme.exe	84
PID 4188 wrote to memory of 1236	4188	readme.exe	84
PID 4188 wrote to memory of 1236	4188	readme.exe	84

C:\Users\Admin\AppData\Local\Temp\dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe
"C:\Users\Admin\AppData\Local\Temp\dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Users\Admin\AppData\Local\Temp\cdd\readme.exe
  "C:\Users\Admin\AppData\Local\Temp\cdd\readme.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\my_70026.exe
    "C:\Users\Admin\AppData\Local\Temp\my_70026.exe"
    3⤵
    - Executes dropped EXE
    PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdd\readme.exe

Filesize
43KB

MD5
48f64c103629ea2f7c18ddcdc01340f5

SHA1
7292ef548010eebf9dc2719e82afe8b602d68d12

SHA256
d9808a1451103bdd099f8b67a00acf4a21c4e8fbf8ad2673cb60968f88ff9cf8

SHA512
0012c5b19f7458d0475129c241041056a7f845a751596aaf3970af76cf546944ac6a34c6adc4812096038a1ac0b349fab56cf2b53b4172cd10af9388e5ddfd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdd\readme.exe

Filesize
43KB

MD5
48f64c103629ea2f7c18ddcdc01340f5

SHA1
7292ef548010eebf9dc2719e82afe8b602d68d12

SHA256
d9808a1451103bdd099f8b67a00acf4a21c4e8fbf8ad2673cb60968f88ff9cf8

SHA512
0012c5b19f7458d0475129c241041056a7f845a751596aaf3970af76cf546944ac6a34c6adc4812096038a1ac0b349fab56cf2b53b4172cd10af9388e5ddfd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\my_70026.exe

Filesize
24KB

MD5
19bdb11bcaf97c39036c75a76f29fdfe

SHA1
fc41b672693c4d4685260028bcd8925c1262b33c

SHA256
b4351c2554849b7837a0991c4ab124dc2d8203667166af28597c152232251e78

SHA512
f113f70d0b6b320c9911d4bfb17253958a78b8ae60f3b8fb0295da17e2fc407736e38f742f489c4db717ffe090d65e88887661514211617a2bd0ca78a81557a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\my_70026.exe

Filesize
24KB

MD5
19bdb11bcaf97c39036c75a76f29fdfe

SHA1
fc41b672693c4d4685260028bcd8925c1262b33c

SHA256
b4351c2554849b7837a0991c4ab124dc2d8203667166af28597c152232251e78

SHA512
f113f70d0b6b320c9911d4bfb17253958a78b8ae60f3b8fb0295da17e2fc407736e38f742f489c4db717ffe090d65e88887661514211617a2bd0ca78a81557a7

Download Submit
memory/4016-132-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4016-136-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download