5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe
Size

207KB
MD5

9018ab3b119bc184db5e6ff7e2c3e710
SHA1

5aeb42974058129afdde14bf4c2374b45394d0ff
SHA256

5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71
SHA512

f700e3b8dc4d97be8e17dce718972dc17f33ad749fb932677591f83de769cedf7024c981d1e773c9354a283b8e2d7be947a26dec956357041856039b5cc16962
SSDEEP

3072:FPWzTT9t3EuU/t7YFguAfbXTjTvxGz6bnIKq63cHPIB:FOvT/UD/x73bXTjTvxGz6bnIKovIB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5108	Services.exe
2580	System Idle Processes.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5108	Services.exe
5108	Services.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
5108	Services.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
5108	Services.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
5108	Services.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
5108	Services.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe
2580	System Idle Processes.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5108	Services.exe
Token: SeDebugPrivilege	2580	System Idle Processes.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4240	5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe
5108	Services.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5108	Services.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 5108	4240	5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe	84
PID 4240 wrote to memory of 5108	4240	5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe	84
PID 4240 wrote to memory of 5108	4240	5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe	84
PID 5108 wrote to memory of 2580	5108	Services.exe	85
PID 5108 wrote to memory of 2580	5108	Services.exe	85
PID 5108 wrote to memory of 2580	5108	Services.exe	85

C:\Users\Admin\AppData\Local\Temp\5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe
"C:\Users\Admin\AppData\Local\Temp\5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\AppData\Roaming\Microsoft\Services.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Services.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\AppData\Roaming\Microsoft\System Idle Processes.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\System Idle Processes.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
102B

MD5
05429069b75363e69356a70c3770dc89

SHA1
f5183cfe912990a25519dcf7d79de19acf5657c7

SHA256
667c6db11bb025ca540886342d25a04496ab8d2c311a4bb9c5964cb72bd66242

SHA512
b9d9d42e2a2a1f29fb652e133ac1ccff4a3e79482d8899a68135dc06f4ab0ee7cd20a7a3eb342e3117a3ce5d83f563fe73b80635c0093021b8ff4f19f45b878e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Services.exe

Filesize
207KB

MD5
9018ab3b119bc184db5e6ff7e2c3e710

SHA1
5aeb42974058129afdde14bf4c2374b45394d0ff

SHA256
5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71

SHA512
f700e3b8dc4d97be8e17dce718972dc17f33ad749fb932677591f83de769cedf7024c981d1e773c9354a283b8e2d7be947a26dec956357041856039b5cc16962

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Services.exe

Filesize
207KB

MD5
9018ab3b119bc184db5e6ff7e2c3e710

SHA1
5aeb42974058129afdde14bf4c2374b45394d0ff

SHA256
5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71

SHA512
f700e3b8dc4d97be8e17dce718972dc17f33ad749fb932677591f83de769cedf7024c981d1e773c9354a283b8e2d7be947a26dec956357041856039b5cc16962

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\System Idle Processes.exe

Filesize
24KB

MD5
92ce7fb80c508354e5e88fdb6ba6d957

SHA1
c816b6cf0ae62385f6a16696eca2307871e9768d

SHA256
70e66964ddf9b89b7d95e6a30789a3a9aeaa172c238ebbaf289ce8bb7228d44b

SHA512
7a8bccea734b5439e61fcd293fb15573ebd507ce77ae886ff700559074ca76df33ba0c209475055a23f913b767cbcde62c13afd30c9a386ed2c17eec09819b60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\System Idle Processes.exe

Filesize
24KB

MD5
92ce7fb80c508354e5e88fdb6ba6d957

SHA1
c816b6cf0ae62385f6a16696eca2307871e9768d

SHA256
70e66964ddf9b89b7d95e6a30789a3a9aeaa172c238ebbaf289ce8bb7228d44b

SHA512
7a8bccea734b5439e61fcd293fb15573ebd507ce77ae886ff700559074ca76df33ba0c209475055a23f913b767cbcde62c13afd30c9a386ed2c17eec09819b60

Download Submit
memory/2580-143-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/2580-145-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4240-132-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4240-137-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4240-133-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/5108-139-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/5108-144-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download