da558228b47aa3d4dce53474e84fa5d6340cb3af1eee5d279e64685458f06ff2

Analysis

max time kernel
204s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da558228b47aa3d4dce53474e84fa5d6340cb3af1eee5d279e64685458f06ff2.exe
Size

2.4MB
MD5

b526e3f6c71759955564a1df0196ed4e
SHA1

e754514fe13c7ffe7af2e662a6b852e8748a4388
SHA256

da558228b47aa3d4dce53474e84fa5d6340cb3af1eee5d279e64685458f06ff2
SHA512

164687a922185f9844d57d53bed9f4b1080bd93dd07dbc05f1fb48504ed3c60d40cc1e896aeec2b4db19223a364b0999560e13eec16047124d2c01dc4e892915
SSDEEP

49152:p5/diQU/Yy/PTBBkMXQshQfIMcrxTOTPTe0rt0FPnCKakOF0ueb6tp/WjTk:p5Ffy/VBkSQshQfWr0TPTneZ6kOF/kQD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

da558228b47aa3d4dce53474e84fa5d6340cb3af1eee5d279e64685458f06ff2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	da558228b47aa3d4dce53474e84fa5d6340cb3af1eee5d279e64685458f06ff2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

da558228b47aa3d4dce53474e84fa5d6340cb3af1eee5d279e64685458f06ff2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	da558228b47aa3d4dce53474e84fa5d6340cb3af1eee5d279e64685458f06ff2.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

da558228b47aa3d4dce53474e84fa5d6340cb3af1eee5d279e64685458f06ff2.exe

description	pid	process	target process
PID 4716 wrote to memory of 1800	4716	da558228b47aa3d4dce53474e84fa5d6340cb3af1eee5d279e64685458f06ff2.exe	WScript.exe
PID 4716 wrote to memory of 1800	4716	da558228b47aa3d4dce53474e84fa5d6340cb3af1eee5d279e64685458f06ff2.exe	WScript.exe
PID 4716 wrote to memory of 1800	4716	da558228b47aa3d4dce53474e84fa5d6340cb3af1eee5d279e64685458f06ff2.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\da558228b47aa3d4dce53474e84fa5d6340cb3af1eee5d279e64685458f06ff2.exe
"C:\Users\Admin\AppData\Local\Temp\da558228b47aa3d4dce53474e84fa5d6340cb3af1eee5d279e64685458f06ff2.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CmpuInfo.vbs"
2⤵
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CmpuInfo.vbs

Filesize
8KB

MD5
a8df7437cd973f1abefb329606bd7428

SHA1
7e1ede077df6a3835fab78a51a16c25edc881f55

SHA256
ceece00ec2eb77ebae864bd0750fcee4c1d60f68b189e710468210f9303c4ff7

SHA512
18dc49c07350da620784a95d61c39003eb0024ba6d7071f97248a25c112215533b1e2c8acfe23d10760df52f721e36b28fcbf8c1fe1346d650175174e93ef249

Download Submit
memory/1800-132-0x0000000000000000-mapping.dmp

Download