21813e7f14561c7e3580a013df4dfa47ba4fcebbb8c5fe9b61eab8f891cf28bf

Analysis

max time kernel
118s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21813e7f14561c7e3580a013df4dfa47ba4fcebbb8c5fe9b61eab8f891cf28bf.exe
Size

53KB
MD5

a3b6c66325e4dc4d50d144f558f37b50
SHA1

5e7cbc7f1c0f19a061059a972aabaf7647be43a9
SHA256

21813e7f14561c7e3580a013df4dfa47ba4fcebbb8c5fe9b61eab8f891cf28bf
SHA512

ed372fcdd448ac358919980c61d0a10545a45c15962632aeb1844668e7e83871ef9da925f9a87b6058f12b870de28e539c522b1cb77276bc8ee5bb214f39a745
SSDEEP

1536:ArMJHdrwV7lD/H70jNIDcY6ZPbPOSTSB0KwyubIm:X9h0t/QBIIM0KwfIm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3868	sinzor.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	21813e7f14561c7e3580a013df4dfa47ba4fcebbb8c5fe9b61eab8f891cf28bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 3868	2116	21813e7f14561c7e3580a013df4dfa47ba4fcebbb8c5fe9b61eab8f891cf28bf.exe	82
PID 2116 wrote to memory of 3868	2116	21813e7f14561c7e3580a013df4dfa47ba4fcebbb8c5fe9b61eab8f891cf28bf.exe	82
PID 2116 wrote to memory of 3868	2116	21813e7f14561c7e3580a013df4dfa47ba4fcebbb8c5fe9b61eab8f891cf28bf.exe	82
PID 2116 wrote to memory of 4612	2116	21813e7f14561c7e3580a013df4dfa47ba4fcebbb8c5fe9b61eab8f891cf28bf.exe	83
PID 2116 wrote to memory of 4612	2116	21813e7f14561c7e3580a013df4dfa47ba4fcebbb8c5fe9b61eab8f891cf28bf.exe	83
PID 2116 wrote to memory of 4612	2116	21813e7f14561c7e3580a013df4dfa47ba4fcebbb8c5fe9b61eab8f891cf28bf.exe	83

C:\Users\Admin\AppData\Local\Temp\21813e7f14561c7e3580a013df4dfa47ba4fcebbb8c5fe9b61eab8f891cf28bf.exe
"C:\Users\Admin\AppData\Local\Temp\21813e7f14561c7e3580a013df4dfa47ba4fcebbb8c5fe9b61eab8f891cf28bf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\sinzor.exe
  "C:\Users\Admin\AppData\Local\Temp\sinzor.exe"
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:4612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
14635e62b7ff5857cf344b4861d4dcba

SHA1
9bf835a20a53850d5897d55c6fa30700b185f45c

SHA256
874c020b36039d910c45ce3f9127d50d93adf8dacb28857f6ffca388a6b4ca97

SHA512
d320730f12d4edaae422444de1dff79349d5ea6d5560fc0896545458a44ec78c564bfa36c75c212b3ba8318beb38c2677d5f241b3e515525c277e8d7856daa73

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
f4a30ddab65c371a6c4fde9087a16edd

SHA1
013110239db39f17d5dc145ada6d5953e79a1436

SHA256
cdeca43af8668b76eab3aeb4b84dc584d076401e5643f8d1dca351aa3c6db6d9

SHA512
0f891c166301bfc6c77f69b53a89b39ac7a070ec8af67a7726ebe4badf1ce1b880377ee89075d54cbc5b1570fa15d08d09f6334dc84d845c941c75ac5ef9a68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sinzor.exe

Filesize
53KB

MD5
1b00d0610b6f66c161329b05086f8719

SHA1
dd8d8c1fde435e1f71de1cd306dc27aff9fb7a4b

SHA256
16bac49dae1aae9b5cb8913d6dbdbe46c239213189478b1400c424de37b36b90

SHA512
4a58c70e02b3710abe27d53f0bfc8755a3cd2d32a20cf9364c468dc3fd7982d2b8581a375a858c09de2c84c4743d919bc258d0de6511c9ead931983fa383ed17

Download Submit
C:\Users\Admin\AppData\Local\Temp\sinzor.exe

Filesize
53KB

MD5
1b00d0610b6f66c161329b05086f8719

SHA1
dd8d8c1fde435e1f71de1cd306dc27aff9fb7a4b

SHA256
16bac49dae1aae9b5cb8913d6dbdbe46c239213189478b1400c424de37b36b90

SHA512
4a58c70e02b3710abe27d53f0bfc8755a3cd2d32a20cf9364c468dc3fd7982d2b8581a375a858c09de2c84c4743d919bc258d0de6511c9ead931983fa383ed17

Download Submit
memory/2116-132-0x0000000000560000-0x0000000000596000-memory.dmp

Filesize
216KB

Download
memory/2116-138-0x0000000000560000-0x0000000000596000-memory.dmp

Filesize
216KB

Download
memory/3868-136-0x0000000000A90000-0x0000000000AC6000-memory.dmp

Filesize
216KB

Download
memory/3868-141-0x0000000000A90000-0x0000000000AC6000-memory.dmp

Filesize
216KB

Download
memory/3868-142-0x0000000000A90000-0x0000000000AC6000-memory.dmp

Filesize
216KB

Download