10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52

Analysis

max time kernel
91s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 20:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe
Size

111KB
MD5

5b3e0d9d8e5b8c6382491e6676a92e20
SHA1

0c1bec3d03128e3a1c73502073e6501c14cd71d3
SHA256

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52
SHA512

b36135192d5b754743ecd2674b297060ea4c1d20ca20192f0b215ab1e8afa35219f70bc7b2b2be91d762e162e410b1dbbbff8bed1d5d4e94d7e50eda9785441c
SSDEEP

3072:nemS6MwVQCGo4qiRlUE0aWQ4K9NIgjdswyMRFIb:6CGVLUE0a9RNIg2w0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4796	10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 416	4796	10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe	83
PID 4796 wrote to memory of 416	4796	10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe	83
PID 4796 wrote to memory of 416	4796	10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe	83

C:\Users\Admin\AppData\Local\Temp\10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe
"C:\Users\Admin\AppData\Local\Temp\10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Xfj..bat" > nul 2> nul
  2⤵
  PID:416

Network

DNS

tinypic.com

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe

Remote address:

8.8.8.8:53

Request

tinypic.com

IN A

Response

tinypic.com

IN A

18.65.39.35

tinypic.com

IN A

18.65.39.70

tinypic.com

IN A

18.65.39.3

tinypic.com

IN A

18.65.39.119
DNS

match.com

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe

Remote address:

8.8.8.8:53

Request

match.com

IN A

Response

match.com

IN A

208.83.240.49
DNS

daum.net

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe

Remote address:

8.8.8.8:53

Request

daum.net

IN A

Response

daum.net

IN A

211.249.220.24

daum.net

IN A

121.53.105.193
DNS

kwimetal.in

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe

Remote address:

8.8.8.8:53

Request

kwimetal.in

IN A

Response
DNS

rooftopjam.in

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe

Remote address:

8.8.8.8:53

Request

rooftopjam.in

IN A

Response
DNS

jumppack.in

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe

Remote address:

8.8.8.8:53

Request

jumppack.in

IN A

Response

8.238.21.254:80

46 B
40 B
1
1
8.238.21.254:80

46 B
40 B
1
1
20.189.173.12:443

322 B
7
8.238.21.254:80

322 B
7
8.238.21.254:80

322 B
7
8.238.21.254:80

322 B
7

8.8.8.8:53

tinypic.com

dns

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe

57 B
121 B
1
1

DNS Request

tinypic.com

DNS Response

18.65.39.35

18.65.39.70

18.65.39.3

18.65.39.119
8.8.8.8:53

match.com

dns

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe

55 B
71 B
1
1

DNS Request

match.com

DNS Response

208.83.240.49
8.8.8.8:53

daum.net

dns

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe

54 B
86 B
1
1

DNS Request

daum.net

DNS Response

211.249.220.24

121.53.105.193
8.8.8.8:53

kwimetal.in

dns

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe

57 B
110 B
1
1

DNS Request

kwimetal.in
8.8.8.8:53

rooftopjam.in

dns

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe

59 B
112 B
1
1

DNS Request

rooftopjam.in
8.8.8.8:53

jumppack.in

dns

10a874f68cd31b3b6806157408b24ab817adf27e85594fa2fd9e460088a33a52.exe

57 B
110 B
1
1

DNS Request

jumppack.in

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Xfj..bat

Filesize
274B

MD5
fc7be8efa830be554b0d37347d2fef82

SHA1
dec6edb5da391e959cf152ba634eb2d8da6d6963

SHA256
5b3326cc8f66580b4087c76c598f0ef09e79aa8228d50a0977163fbc2cc8570f

SHA512
6c9e2b13b62c4633a3e820242a4957b1468f401ff8ccbea5363cee1409fba5ee0b672011cfb29ed73811718d7784b9d6d2f32ab96709d89b97f2b074e4eecaf5

Download Submit
memory/4796-132-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4796-134-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.