f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60

Analysis

max time kernel
90s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe
Size

203KB
MD5

82133810336bb9d1c2523c17a4808570
SHA1

53863f2253b101e21e3acbec5553b6d60eacbbab
SHA256

f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60
SHA512

17cc140ea661b628027a6de872a037a891b284d4d8c487f55b5d1acc616cc4154c94976a4f84271f837b11e9e3c7297d35fb3c232794e85cb0f7297fd2857e86
SSDEEP

6144:ecWMJJhqryYP/daqh5JghBNe4oa9RE04XU:eczJJhqrVPluhBNzRb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2072	plor.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1564	2072	WerFault.exe	84

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	plor.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 2072	4028	f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe	84
PID 4028 wrote to memory of 2072	4028	f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe	84
PID 4028 wrote to memory of 2072	4028	f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe	84

C:\Users\Admin\AppData\Local\Temp\f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe
"C:\Users\Admin\AppData\Local\Temp\f6576e6ce51ac76c58a89532eaaddbc066fc3ce2fb8750d1adf84f46cd8a3f60.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\plor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\plor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 616
    3⤵
    - Program crash
    PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 2072 -ip 2072
1⤵
PID:220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\plor.exe

Filesize
30KB

MD5
0a995c7d56b41d83c3188ad01b5c9d97

SHA1
87bd0b3c254ccf0e14ede1bca4c69dda2d7c36e7

SHA256
d308e6714a6ffa1e3fa97fcffba4c22b7149bfb38f7a3bac771f7fff386f2fd5

SHA512
bb0599ec47e60a8be55eaf273201f8703f45c5b6c22ad8186b3e723c60f63ee45b7ec0885cc68a0d375c0167a6bd20d471458e61167d40e590461b8410662a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\plor.exe

Filesize
30KB

MD5
0a995c7d56b41d83c3188ad01b5c9d97

SHA1
87bd0b3c254ccf0e14ede1bca4c69dda2d7c36e7

SHA256
d308e6714a6ffa1e3fa97fcffba4c22b7149bfb38f7a3bac771f7fff386f2fd5

SHA512
bb0599ec47e60a8be55eaf273201f8703f45c5b6c22ad8186b3e723c60f63ee45b7ec0885cc68a0d375c0167a6bd20d471458e61167d40e590461b8410662a21

Download Submit
memory/2072-135-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2072-136-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download