5374c114d8bcf4258435a2cd76b7e1ad8f922d33bf9c015d15cee68931046b0d

Analysis

max time kernel
76s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2022, 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5374c114d8bcf4258435a2cd76b7e1ad8f922d33bf9c015d15cee68931046b0d.exe
Size

421KB
MD5

1fe104c0c6b8e2ff1e6af09d71b2e44e
SHA1

913ac9d7c8acf8dc427581605091440bb7f19d98
SHA256

5374c114d8bcf4258435a2cd76b7e1ad8f922d33bf9c015d15cee68931046b0d
SHA512

61d7fc066f9f6d2c919891ffba676b960d9c9be23dfbfabc3837eae89dc9b7bc211727cedd22d336f9b5d163a806b9fdbb653ce4cb51c90af800d8396e35beae
SSDEEP

12288:DjODTivE9Gzlr3yPRpb+Wvo3/nZFozAKR4p3:DjOysIhr3ORpbBofZFv7p3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4156	AutoInst.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	5374c114d8bcf4258435a2cd76b7e1ad8f922d33bf9c015d15cee68931046b0d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4156	AutoInst.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4156	4760	5374c114d8bcf4258435a2cd76b7e1ad8f922d33bf9c015d15cee68931046b0d.exe	82
PID 4760 wrote to memory of 4156	4760	5374c114d8bcf4258435a2cd76b7e1ad8f922d33bf9c015d15cee68931046b0d.exe	82
PID 4760 wrote to memory of 4156	4760	5374c114d8bcf4258435a2cd76b7e1ad8f922d33bf9c015d15cee68931046b0d.exe	82

C:\Users\Admin\AppData\Local\Temp\5374c114d8bcf4258435a2cd76b7e1ad8f922d33bf9c015d15cee68931046b0d.exe
"C:\Users\Admin\AppData\Local\Temp\5374c114d8bcf4258435a2cd76b7e1ad8f922d33bf9c015d15cee68931046b0d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\7zS5A88.tmp\AutoInst.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS5A88.tmp\AutoInst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS5A88.tmp\AutoInst.exe

Filesize
805KB

MD5
6709897005120aec5674859cc20b1db3

SHA1
d6060f0989d6aea4b51f7dde439ca5a21fbc6639

SHA256
ebddf94172297bcf26fb6142f599de1facb43ab81e8fdf0d83fa79ad2f7ff5c8

SHA512
a753ff5121b2c64d473542bee51a90bb953e65879c9cd44812b4b0fd921aa7e19012341b05ccf6fd58c05c3f34715b671c6924526c165ba2aaf3804eb0b421b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5A88.tmp\AutoInst.exe

Filesize
805KB

MD5
6709897005120aec5674859cc20b1db3

SHA1
d6060f0989d6aea4b51f7dde439ca5a21fbc6639

SHA256
ebddf94172297bcf26fb6142f599de1facb43ab81e8fdf0d83fa79ad2f7ff5c8

SHA512
a753ff5121b2c64d473542bee51a90bb953e65879c9cd44812b4b0fd921aa7e19012341b05ccf6fd58c05c3f34715b671c6924526c165ba2aaf3804eb0b421b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5A88.tmp\AutoInst.ini

Filesize
165B

MD5
e935d8e5d049a4bc817a754ecac200bd

SHA1
aa87ca72a14d826dd0ed5563ba1084fc0b407a50

SHA256
8fdb740d34fe42516d9be70fb37969a5d1ebe994c9180c3d76aecf04b96bdb4d

SHA512
72dd99d4410955fa47df32f635a2ce379d3d5a8865ae1f60b12787cb904f1881e79bd129a8d05e5d5d3f271592c7b7b8e512ae3e0977197497a343ca4de89984

Download Submit