Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 09:35
General
-
Target
d22d57bcf039041fd0b1f0792293fae6d47f24919b147abc5ba6351a0eb6a5c2.exe
-
Size
7.7MB
-
MD5
fd9f596b0d88024cffa94540cb837e6b
-
SHA1
85704c78d3726ac45ff0fc9b6504873a56a8094c
-
SHA256
d22d57bcf039041fd0b1f0792293fae6d47f24919b147abc5ba6351a0eb6a5c2
-
SHA512
47154c927ea66deef12e4f4ebbfa11e115afd9a484b2015a64f018ca9a1568b5de1692a1315b492d4f79b8721a7dfa2728a2c10a3717d6dce550e0761928b7e5
-
SSDEEP
196608:d/p7W7CxzD/64edSppgTeFCa28Ry4SaZywpBwO3+76sdZGat4r:dx7Yw3/iSpeU3ZRjJyw7wI+71rGat4r
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs .reg file with regedit 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d22d57bcf039041fd0b1f0792293fae6d47f24919b147abc5ba6351a0eb6a5c2.exe"C:\Users\Admin\AppData\Local\Temp\d22d57bcf039041fd0b1f0792293fae6d47f24919b147abc5ba6351a0eb6a5c2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HOST.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\HOST.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\IDM.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\IDM.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /S reg.reg3⤵
- Runs .reg file with regedit
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b5a4d7472c0cea64a0b2f02a4c15aa5b
SHA12a1b37222568bf0571ff23248497cab0ff1b66bf
SHA256570d4af82f9892fcc84c9205d38da0713a596f9fcaf944a65494ac47bdfd98f4
SHA512c048c6196ea2eef0cc60f4472b71ecc7dc5f9813168c8bbfd8d5fdd013d8ad543fc802c793ba462985505d4c5b89a2cd473724cf9d4cf873a8391f0f5d90d8c5
-
Filesize
97KB
MD54cf55abdd357a8284a5a8a4e9238541d
SHA17aaa62953f24552b1427973d72f4220715004626
SHA256449bad57a49cbb06d13723fd534df9223490b3c76a62fda4052d778e3335c970
SHA512aaf7041d9ed9287060db7c77782e580cfb8aca5c9495c638a3128971cadf786d1b93fe0ae0f6ddde4431d6f171e9051992fa05af6091e83cdf627c91909f4978
-
Filesize
97KB
MD54cf55abdd357a8284a5a8a4e9238541d
SHA17aaa62953f24552b1427973d72f4220715004626
SHA256449bad57a49cbb06d13723fd534df9223490b3c76a62fda4052d778e3335c970
SHA512aaf7041d9ed9287060db7c77782e580cfb8aca5c9495c638a3128971cadf786d1b93fe0ae0f6ddde4431d6f171e9051992fa05af6091e83cdf627c91909f4978
-
Filesize
7.4MB
MD50ccbff0f52ecfeee22366fa7c19e7cfb
SHA1124f5094947e1877fc6cb7a5ffe6c750a0109061
SHA2563f5564bc8e7aad593eccbdc9c4cbaf52f9c36e40c496586067f32c304c179c15
SHA5127c507b6faa53fd835be2fc8d315366810b7528fd1216b1342c5358047cf49bb4a71d8520974777e655a35579af28fee2fb5e86772d033078c78af8b0d2fa3f46
-
Filesize
7.4MB
MD50ccbff0f52ecfeee22366fa7c19e7cfb
SHA1124f5094947e1877fc6cb7a5ffe6c750a0109061
SHA2563f5564bc8e7aad593eccbdc9c4cbaf52f9c36e40c496586067f32c304c179c15
SHA5127c507b6faa53fd835be2fc8d315366810b7528fd1216b1342c5358047cf49bb4a71d8520974777e655a35579af28fee2fb5e86772d033078c78af8b0d2fa3f46
-
-
-