6750060647f3f2a3d6622a69ca26ccca27d1f8ff8422857663a4d77a89e0868e

Analysis

max time kernel
182s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6750060647f3f2a3d6622a69ca26ccca27d1f8ff8422857663a4d77a89e0868e.exe
Size

260KB
MD5

21e875a30e34591238a3000e61f01190
SHA1

0782e1886bcd305cd760bda7f4df62dd37adcbb6
SHA256

6750060647f3f2a3d6622a69ca26ccca27d1f8ff8422857663a4d77a89e0868e
SHA512

a92132b6b723dfd2d2440544e7ac87a84c3ecae6aae82f8dea48a471147edd130c37c98745f8d5af6199eb9622ff201340b3201314d13f6f20487e9abcc90ecc
SSDEEP

6144:oXKaLU85MRAGwSGqCWKg9WondmUuax8A58dN:oXttMRAMXCWKePtuaN5ON

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2564	LocalZzsVTydrMU.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6750060647f3f2a3d6622a69ca26ccca27d1f8ff8422857663a4d77a89e0868e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2564	LocalZzsVTydrMU.exe
2564	LocalZzsVTydrMU.exe
2564	LocalZzsVTydrMU.exe
2564	LocalZzsVTydrMU.exe
2564	LocalZzsVTydrMU.exe
2564	LocalZzsVTydrMU.exe
2564	LocalZzsVTydrMU.exe
2564	LocalZzsVTydrMU.exe
2564	LocalZzsVTydrMU.exe
2564	LocalZzsVTydrMU.exe
2564	LocalZzsVTydrMU.exe
2564	LocalZzsVTydrMU.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	LocalZzsVTydrMU.exe
Token: SeRestorePrivilege	1976	dw20.exe
Token: SeBackupPrivilege	1976	dw20.exe
Token: SeBackupPrivilege	1976	dw20.exe
Token: SeBackupPrivilege	1976	dw20.exe
Token: SeBackupPrivilege	1976	dw20.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 2564	5080	6750060647f3f2a3d6622a69ca26ccca27d1f8ff8422857663a4d77a89e0868e.exe	78
PID 5080 wrote to memory of 2564	5080	6750060647f3f2a3d6622a69ca26ccca27d1f8ff8422857663a4d77a89e0868e.exe	78
PID 5080 wrote to memory of 2564	5080	6750060647f3f2a3d6622a69ca26ccca27d1f8ff8422857663a4d77a89e0868e.exe	78
PID 2564 wrote to memory of 1976	2564	LocalZzsVTydrMU.exe	79
PID 2564 wrote to memory of 1976	2564	LocalZzsVTydrMU.exe	79
PID 2564 wrote to memory of 1976	2564	LocalZzsVTydrMU.exe	79

C:\Users\Admin\AppData\Local\Temp\6750060647f3f2a3d6622a69ca26ccca27d1f8ff8422857663a4d77a89e0868e.exe
"C:\Users\Admin\AppData\Local\Temp\6750060647f3f2a3d6622a69ca26ccca27d1f8ff8422857663a4d77a89e0868e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\LocalZzsVTydrMU.exe
  "C:\Users\Admin\AppData\LocalZzsVTydrMU.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 972
    3⤵
    - Drops file in Windows directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalZzsVTydrMU.exe

Filesize
220KB

MD5
f4e2f8ad9549142771b53b077b1ea4a9

SHA1
4448caae869e668fae75eab31e334a7675c11afe

SHA256
558ab7c54d899c6c4a68ea9349f7b4b89c51a566179505663e68431d261cf92a

SHA512
4be79cb9e53aad5828a8353acbb3b35c9ac62e277cdecf10fa29c2fc5a258f1dd34ed2e9bc2972884f4d16bfb68e5642c57e49c57ad4891054d4247d05ece9ac

Download Submit
C:\Users\Admin\AppData\LocalZzsVTydrMU.exe

Filesize
220KB

MD5
f4e2f8ad9549142771b53b077b1ea4a9

SHA1
4448caae869e668fae75eab31e334a7675c11afe

SHA256
558ab7c54d899c6c4a68ea9349f7b4b89c51a566179505663e68431d261cf92a

SHA512
4be79cb9e53aad5828a8353acbb3b35c9ac62e277cdecf10fa29c2fc5a258f1dd34ed2e9bc2972884f4d16bfb68e5642c57e49c57ad4891054d4247d05ece9ac

Download Submit
memory/2564-136-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/2564-138-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/5080-132-0x00007FF815C60000-0x00007FF816696000-memory.dmp

Filesize
10.2MB

Download