118362137e29f459069b2644ddaf4bc08f3f4e6b4f68db6d7c3fe3985085ae09

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

118362137e29f459069b2644ddaf4bc08f3f4e6b4f68db6d7c3fe3985085ae09.exe
Size

18KB
MD5

57b3a721d8001f6a5e1cada2f61cb1c0
SHA1

77af44e78d523daa0f34c8da394fce2f65270818
SHA256

118362137e29f459069b2644ddaf4bc08f3f4e6b4f68db6d7c3fe3985085ae09
SHA512

6c6f6f06c38516de813a3c253fd232d42ae8a8fe3ce0dc250816c20a24242022f26f3daac3ede7508d951d6e02ff3fb8e3cb4b06ed9ed0c13bcb0e3d5fe9ac72
SSDEEP

384:6EJ7osKQ3wK8ZL2lQ9/sF1666666666JJ7UueqrDjFvbE49RvtX:/8sJAnZCQBwuUuequeR1X

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4764	justupdater.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	118362137e29f459069b2644ddaf4bc08f3f4e6b4f68db6d7c3fe3985085ae09.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 4764	4724	118362137e29f459069b2644ddaf4bc08f3f4e6b4f68db6d7c3fe3985085ae09.exe	85
PID 4724 wrote to memory of 4764	4724	118362137e29f459069b2644ddaf4bc08f3f4e6b4f68db6d7c3fe3985085ae09.exe	85
PID 4724 wrote to memory of 4764	4724	118362137e29f459069b2644ddaf4bc08f3f4e6b4f68db6d7c3fe3985085ae09.exe	85

C:\Users\Admin\AppData\Local\Temp\118362137e29f459069b2644ddaf4bc08f3f4e6b4f68db6d7c3fe3985085ae09.exe
"C:\Users\Admin\AppData\Local\Temp\118362137e29f459069b2644ddaf4bc08f3f4e6b4f68db6d7c3fe3985085ae09.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\justupdater.exe
  "C:\Users\Admin\AppData\Local\Temp\justupdater.exe"
  2⤵
  - Executes dropped EXE
  PID:4764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\justupdater.exe

Filesize
18KB

MD5
7eb6b2dfa00dc3584cd8c0f8d2b7e8f5

SHA1
3e59e89d8d3917b7397b51c84471286ef07247f8

SHA256
e3b947f3239b91b7d50c95100a1c575b8686607a3bd7c05c645774f54dd1055c

SHA512
d5004d912bb74f40fb2bb46f76d43040b901bdc4f283f1a6cc9a96317112622749112abadf089fdd9cf45458b8bd85b7b6850e0a95f9c5c9ddea69df3134a310

Download Submit
C:\Users\Admin\AppData\Local\Temp\justupdater.exe

Filesize
18KB

MD5
7eb6b2dfa00dc3584cd8c0f8d2b7e8f5

SHA1
3e59e89d8d3917b7397b51c84471286ef07247f8

SHA256
e3b947f3239b91b7d50c95100a1c575b8686607a3bd7c05c645774f54dd1055c

SHA512
d5004d912bb74f40fb2bb46f76d43040b901bdc4f283f1a6cc9a96317112622749112abadf089fdd9cf45458b8bd85b7b6850e0a95f9c5c9ddea69df3134a310

Download Submit