3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113

Analysis

max time kernel
155s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe
Size

49KB
MD5

113f10c66db3f82fb362d9377a28e930
SHA1

8270b4194c920221c819f65555f6bc284b5b4dc1
SHA256

3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113
SHA512

1c8da02de0cc0fc79f8df448068ffdd7375d5b5a4144f334e6ff685abce05a2289ba5ec15a729f691531cedceec2ffdbf49a9da436eb4410afd678a0b964c3d4
SSDEEP

1536:TCBs2dk1EdUyb38tpMYmka6a+5a+IiusyZxz:eBOgUZfB1jg+1uZ5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3640	dofhir.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 3640	4916	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe	81
PID 4916 wrote to memory of 3640	4916	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe	81
PID 4916 wrote to memory of 3640	4916	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe	81
PID 4916 wrote to memory of 4956	4916	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe	82
PID 4916 wrote to memory of 4956	4916	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe	82
PID 4916 wrote to memory of 4956	4916	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe	82

C:\Users\Admin\AppData\Local\Temp\3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe
"C:\Users\Admin\AppData\Local\Temp\3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\dofhir.exe
  "C:\Users\Admin\AppData\Local\Temp\dofhir.exe"
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:4956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dofhir.exe

Filesize
49KB

MD5
d72b3a11cdea0137ac6d8dabe872d5dd

SHA1
3232ac114ae6b7f40ca296f759e288a3d2ddac1f

SHA256
5095f2311bbf88f5c5c526a5201bfd13977e5c010338b7a9a1b352b46451ed1d

SHA512
0c188bc7bf08e2082d86ebe6fb52222eaf599f637053b36ff0d355c25aa42339a8067dfbb715a1a60972a94f22f295aa21d0933698c3b639c55a19b2f1b14dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dofhir.exe

Filesize
49KB

MD5
d72b3a11cdea0137ac6d8dabe872d5dd

SHA1
3232ac114ae6b7f40ca296f759e288a3d2ddac1f

SHA256
5095f2311bbf88f5c5c526a5201bfd13977e5c010338b7a9a1b352b46451ed1d

SHA512
0c188bc7bf08e2082d86ebe6fb52222eaf599f637053b36ff0d355c25aa42339a8067dfbb715a1a60972a94f22f295aa21d0933698c3b639c55a19b2f1b14dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a37dafadf523bfd1cdd3a54d35760713

SHA1
a88d1fc3191e4d6df332ee300605812fd88a37a9

SHA256
236019ebae78106f6226c7a2c82e10377904a8196441f69330b47491e7bd7fa2

SHA512
94ec9e22f2157c27bde78a8801e36dd0fc32a4512caee3d163d63934631e1dfe3678854fda2e88888b836d6020f387d9a09028c08643f8a012e803592125dd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
49e0430c412f2c08bf2f2aca41fbb0fe

SHA1
107f3c6806a868bc6d6ca8d96e006bbcff10c325

SHA256
06e38180648ffb89880dec45c5ed57645c92927d8c0b37f2ed0723839c04d53f

SHA512
298894743c7de11a9328172395a463a233e7d523c371518fe3ef40165c8ae4be7343893847a6d0d96e29f70b89c9a3b8d66d48ec595ddf6109085ea38a47f766

Download Submit
memory/3640-140-0x0000000000FB0000-0x0000000000FE5000-memory.dmp

Filesize
212KB

Download
memory/3640-142-0x0000000000FB0000-0x0000000000FE5000-memory.dmp

Filesize
212KB

Download
memory/3640-143-0x0000000000FB0000-0x0000000000FE5000-memory.dmp

Filesize
212KB

Download
memory/4916-132-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/4916-133-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/4916-138-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download