2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15

Analysis

max time kernel
169s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
Size

8.5MB
MD5

181598b1efd5cadf471a942e81a6e4f3
SHA1

73b54509cfeb632fbd83edae8c1faf6645a9b953
SHA256

2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15
SHA512

a26c373b30abbbdb9d309faa7f87dcfb5f9977d2336a879d905ab82b3ffbe2a3964a0e7495d54e512ec6c3933a22dc83609d1ae763a7771d378f0f0ff3ac422c
SSDEEP

196608:Vif7B6X6Ko54CO+hQiTgsVzwkzHL4Q5rxg1/9uY/QueuzUsh8vMoc7PBArjeG0Zd:Vi4qK6BjhQrewoHX5rx29uZueuxh8UL/

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

71 4360 rundll32.exe
74 4360 rundll32.exe
79 4360 rundll32.exe
85 4360 rundll32.exe
86 4360 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

file.exe2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe

pid process

3500 file.exe
1156 2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe

flow	pid	process
71	4360	rundll32.exe
74	4360	rundll32.exe
79	4360	rundll32.exe
85	4360	rundll32.exe
86	4360	rundll32.exe

pid	process
3500	file.exe
1156	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exefile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	file.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4360 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4360	rundll32.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\LOL_V3132_1202_20D.exe.org	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\LOL_V3132_1202_20D.exe.org	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exefile.execmd.exe

description	pid	process	target process
PID 1628 wrote to memory of 3776	1628	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	cmd.exe
PID 1628 wrote to memory of 3776	1628	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	cmd.exe
PID 1628 wrote to memory of 3776	1628	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	cmd.exe
PID 1628 wrote to memory of 3500	1628	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	file.exe
PID 1628 wrote to memory of 3500	1628	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	file.exe
PID 1628 wrote to memory of 3500	1628	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe	file.exe
PID 3500 wrote to memory of 4360	3500	file.exe	rundll32.exe
PID 3500 wrote to memory of 4360	3500	file.exe	rundll32.exe
PID 3500 wrote to memory of 4360	3500	file.exe	rundll32.exe
PID 3500 wrote to memory of 4248	3500	file.exe	cmd.exe
PID 3500 wrote to memory of 4248	3500	file.exe	cmd.exe
PID 3500 wrote to memory of 4248	3500	file.exe	cmd.exe
PID 3776 wrote to memory of 1156	3776	cmd.exe	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
PID 3776 wrote to memory of 1156	3776	cmd.exe	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
PID 3776 wrote to memory of 1156	3776	cmd.exe	2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe

C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
"C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_ms0466.bat" "C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3776

C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe
"C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe"
3⤵
- Executes dropped EXE
PID:1156

C:\Users\Admin\AppData\Local\Temp\file.exe
C:\Users\Admin\AppData\Local\Temp\file.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\3E7.dll",ADB_Release
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3E7.bat" "
3⤵
PID:4248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe

Filesize
7.6MB

MD5
79e02ce2e90fcbed9f5bca4c006258cb

SHA1
9bf0c29ee460c236df9737b2ae742387117624a5

SHA256
1d4858117e4d9d40fa80cb35f80831495d3fea7c28ba6b37ae21f71d4ed808c4

SHA512
2266e209630fbcf69668d023104077928fa87d25e4acf30eaaeb6e1c9b5d7e58888cf0c52186bdc06144a736c7912562fe27da4dc85aee7f23ad82c8d5f7702f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2267357a15d6051553403520d95e3c7855f21c176a65cce4998633e01474bc15.exe

Filesize
7.6MB

MD5
79e02ce2e90fcbed9f5bca4c006258cb

SHA1
9bf0c29ee460c236df9737b2ae742387117624a5

SHA256
1d4858117e4d9d40fa80cb35f80831495d3fea7c28ba6b37ae21f71d4ed808c4

SHA512
2266e209630fbcf69668d023104077928fa87d25e4acf30eaaeb6e1c9b5d7e58888cf0c52186bdc06144a736c7912562fe27da4dc85aee7f23ad82c8d5f7702f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E7.bat

Filesize
138B

MD5
80cae69a068651ae6ad6f021f5a363b0

SHA1
485dc15789a26d49a6133ad926d9bef992cc27d4

SHA256
f8f1e896b95e0bc1fc4fecbcf2658ef10a17ba0c8333af6e846b1588e90c3246

SHA512
5a5b769f5e87714ab37bfae4cf4b40a3daf1b294c28abfa64ebae0170caa29ef76c8e3220cdd8dc42d18a7ba972ddd92bfe4bd43dde98c2fa437664c23575a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E7.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E7.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOL_V3132_1202_20D.exe.org

Filesize
7.6MB

MD5
79e02ce2e90fcbed9f5bca4c006258cb

SHA1
9bf0c29ee460c236df9737b2ae742387117624a5

SHA256
1d4858117e4d9d40fa80cb35f80831495d3fea7c28ba6b37ae21f71d4ed808c4

SHA512
2266e209630fbcf69668d023104077928fa87d25e4acf30eaaeb6e1c9b5d7e58888cf0c52186bdc06144a736c7912562fe27da4dc85aee7f23ad82c8d5f7702f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ms0466.bat

Filesize
244B

MD5
75bf93c2c229d265e8787383e7b109da

SHA1
83ce3462ea39e98dd163082e38505d1136313a91

SHA256
1587a14ea3b7e1b7d2ef82b27ec549d03a3e8fbc7b5cd4d3bbb09e58ff540a73

SHA512
ae96e713c996c9854a2ace1751d2c15287e76302af8c3965a231e8821fd1ec18fe41409a001a636a2ea11f797ce3d780fd4c3425bcd1a234c72b771b5fc24c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
memory/1156-143-0x0000000000000000-mapping.dmp

Download
memory/3500-133-0x0000000000000000-mapping.dmp

Download
memory/3776-132-0x0000000000000000-mapping.dmp

Download
memory/4248-139-0x0000000000000000-mapping.dmp

Download
memory/4360-137-0x0000000000000000-mapping.dmp

Download