Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 09:05
General
-
Target
13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825.exe
-
Size
793KB
-
MD5
6f9e437cd3114aef8abe2e3c4e09fcc7
-
SHA1
6d6fbae415b504ff30d3f6bee49a30a497eb1919
-
SHA256
13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825
-
SHA512
a2f2c12949e44b7e193a609b406325eec75505a76e350923f3a35b5da3310f99e10392c1daa801a22a2d34973fff6c076cb1668643cdf660a333e1a63ae79bac
-
SSDEEP
24576:IFszWS5byefnp9pgp9EQjAyEBVvEqABf/+8aBqUybDsBK:IwreNwBVMvfEjO0K
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 24 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825.exe"C:\Users\Admin\AppData\Local\Temp\13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2764\2764.exe"C:\Users\Admin\AppData\Local\Temp\2764\2764.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2764\2764.exeFilesize
2.0MB
MD5af0ebdcf924b390e8da8cd3bc27dfd2b
SHA104a0f86d69913a3b212540302481761ea786e734
SHA2568d312e8c8ad98be510c219aff7f069785133cfd6d4723ccf92f88c796581a636
SHA5122b8e42a48d2d196e8e1a6f08a3343029dacd7f63f0c3bf03b3673ab7468bf4819f2c79fdcf71d1e548ba0bd9f7d0223d8e7af2e5473590d7c95154c5a536a86c
-
C:\Users\Admin\AppData\Local\Temp\2764\2764.exeFilesize
2.0MB
MD5af0ebdcf924b390e8da8cd3bc27dfd2b
SHA104a0f86d69913a3b212540302481761ea786e734
SHA2568d312e8c8ad98be510c219aff7f069785133cfd6d4723ccf92f88c796581a636
SHA5122b8e42a48d2d196e8e1a6f08a3343029dacd7f63f0c3bf03b3673ab7468bf4819f2c79fdcf71d1e548ba0bd9f7d0223d8e7af2e5473590d7c95154c5a536a86c
-
C:\Users\Admin\AppData\Local\Temp\2764\linkconfig.iniFilesize
7B
MD5fb598d01bcb86ec10edf9081c2e5d91a
SHA1f46cf8aac7247782c617d3981f08fcb0355ddf71
SHA25664d32254248525b3dae6d529a096126ea9b294b242e43da21cd695ecb0bcb164
SHA512a42a26bd5201c30d9ae6a657f929113c3eb6521015652f595d3da798771c6fb6ee3ac80a8c42efaa167746916cf8400c9fc0f1aa1c0ce3fa615a242279205ef6
-
C:\Windows\suuwwwx.dllFilesize
139KB
MD5b44ade3e8e161f17f0e2c6942f9165ff
SHA1a45fe8a6ebed71b3e30241cf17cf6e67a6d83dcb
SHA256653d6d49ecbb4c0056247efcb4a482725ca26092526a7f8b02a98fb4a66b6edb
SHA5120d13af4e99d37ee34787ebab8a03c7f4bf2041a50ef9bb15454e91605a464a75173f8bb557b3ba7fe6b96020bc4d98c32546e1af059ddbfe06bd5fab056ee2a3
-
C:\Windows\suuwwwx.dllFilesize
139KB
MD5b44ade3e8e161f17f0e2c6942f9165ff
SHA1a45fe8a6ebed71b3e30241cf17cf6e67a6d83dcb
SHA256653d6d49ecbb4c0056247efcb4a482725ca26092526a7f8b02a98fb4a66b6edb
SHA5120d13af4e99d37ee34787ebab8a03c7f4bf2041a50ef9bb15454e91605a464a75173f8bb557b3ba7fe6b96020bc4d98c32546e1af059ddbfe06bd5fab056ee2a3
-
memory/4960-132-0x0000000000000000-mapping.dmp
-
memory/4960-138-0x0000000002F90000-0x0000000002FBC000-memory.dmpFilesize
176KB