5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e

Analysis

max time kernel
91s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe
Size

1.1MB
MD5

c0472277dc8d80ecc9522a9d8fe734a0
SHA1

0047a28f9337e4404afde444919aaf08922c98d5
SHA256

5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e
SHA512

d040424304b431dccb46fb95e853ef318d32b8d0b0046d567860fff243cd3f60d41e6c6742001ed903d46aec681dadf9d05d8dde9d16242254b03444a4eb52e6
SSDEEP

24576:74lavt0LkLL9IMixoEgeaWwmRGgl5bWq9MmCS:Okwkn9IMHeaWwtU5KaPCS

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe

Executes dropped EXE 1 IoCs

Processes:

5411.exe

pid process

1004 5411.exe

pid	process
1004	5411.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe

description	pid	process	target process
PID 4996 wrote to memory of 1004	4996	5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe	5411.exe
PID 4996 wrote to memory of 1004	4996	5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe	5411.exe
PID 4996 wrote to memory of 1004	4996	5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe	5411.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe

C:\Users\Admin\AppData\Local\Temp\5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe
"C:\Users\Admin\AppData\Local\Temp\5b87c6f4f1f3e64668fdf3adaf30a0f184ee96e9676f36f15fbefb29052b467e.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4996

C:\Users\Admin\AppData\Local\Temp\5411\5411.exe
"C:\Users\Admin\AppData\Local\Temp\5411\5411.exe"
2⤵
- Executes dropped EXE
PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5411\5411.exe

Filesize
138KB

MD5
9d4e6865b4d8d364dd60024d9a783ad6

SHA1
1c84bab1e7a83d56625e2ca6bd1bf7b7f3af4c14

SHA256
01690a5fc6e51f72a8d7053d2ab8985ae894fd770212e82b32c5f4f74cdc577d

SHA512
c6aa9672839cd6fa526ab3b29a3ac03e3574cc3a18da2916d0b9943a2f942a257f76f0ae854f5426d16a6485a761bf73e3033178deb5a6824a0c600897afd8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5411\5411.exe

Filesize
138KB

MD5
9d4e6865b4d8d364dd60024d9a783ad6

SHA1
1c84bab1e7a83d56625e2ca6bd1bf7b7f3af4c14

SHA256
01690a5fc6e51f72a8d7053d2ab8985ae894fd770212e82b32c5f4f74cdc577d

SHA512
c6aa9672839cd6fa526ab3b29a3ac03e3574cc3a18da2916d0b9943a2f942a257f76f0ae854f5426d16a6485a761bf73e3033178deb5a6824a0c600897afd8f5

Download Submit
memory/1004-132-0x0000000000000000-mapping.dmp

Download