Analysis
-
max time kernel
144s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 10:20
Static task
static1
Behavioral task
behavioral1
Sample
23d7ce533653afbe705121a573f842c341e98589896410bac9d1474eb0de80a0.exe
Resource
win10v2004-20221111-en
General
-
Target
23d7ce533653afbe705121a573f842c341e98589896410bac9d1474eb0de80a0.exe
-
Size
1.6MB
-
MD5
4fccdcc7068d8c47ddc89e7ef99c3ce5
-
SHA1
2ba5829bfe27391c1cbf030b9bc58cdfa3b6c802
-
SHA256
23d7ce533653afbe705121a573f842c341e98589896410bac9d1474eb0de80a0
-
SHA512
28309d5e8312ab99e77a20d7ebb327c0670a18701a5c657be81448074015dc5698cd288e3bd5b5ea1784e27d5105aeaf67a13008e1bf129e659774396d89786d
-
SSDEEP
49152:VJ4o4UTQ3Uummh7gR7foESsGgceqocYyzZr:VJ4lyyUKgR7foU8ocYyzl
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
23d7ce533653afbe705121a573f842c341e98589896410bac9d1474eb0de80a0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 23d7ce533653afbe705121a573f842c341e98589896410bac9d1474eb0de80a0.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 4268 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
23d7ce533653afbe705121a573f842c341e98589896410bac9d1474eb0de80a0.exedescription pid process target process PID 4588 wrote to memory of 4268 4588 23d7ce533653afbe705121a573f842c341e98589896410bac9d1474eb0de80a0.exe regsvr32.exe PID 4588 wrote to memory of 4268 4588 23d7ce533653afbe705121a573f842c341e98589896410bac9d1474eb0de80a0.exe regsvr32.exe PID 4588 wrote to memory of 4268 4588 23d7ce533653afbe705121a573f842c341e98589896410bac9d1474eb0de80a0.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\23d7ce533653afbe705121a573f842c341e98589896410bac9d1474eb0de80a0.exe"C:\Users\Admin\AppData\Local\Temp\23d7ce533653afbe705121a573f842c341e98589896410bac9d1474eb0de80a0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /u /s .\2OGiaZJ.YVA2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2OGiaZJ.YVAFilesize
1.7MB
MD510d3fdc4002fe22147995bca57995b4b
SHA137df1305853ca80692614f1236ac8e6ae1ef8511
SHA2566835d8ec83939c095008133521d5326b05f1110757af2ee87a60cfab60b7fd65
SHA5126918a2f5bea3091b5bf637ff54e8b22049cf1bfb1c7aa008d096fa57b21991ca0df33151f6b71f3c2a1663dece263f311354bad240154c4a129a145c0145a761
-
C:\Users\Admin\AppData\Local\Temp\2OGiaZJ.YvAFilesize
1.7MB
MD510d3fdc4002fe22147995bca57995b4b
SHA137df1305853ca80692614f1236ac8e6ae1ef8511
SHA2566835d8ec83939c095008133521d5326b05f1110757af2ee87a60cfab60b7fd65
SHA5126918a2f5bea3091b5bf637ff54e8b22049cf1bfb1c7aa008d096fa57b21991ca0df33151f6b71f3c2a1663dece263f311354bad240154c4a129a145c0145a761
-
memory/4268-132-0x0000000000000000-mapping.dmp
-
memory/4268-136-0x0000000002FA0000-0x00000000030B5000-memory.dmpFilesize
1.1MB
-
memory/4268-135-0x0000000002D40000-0x0000000002E7B000-memory.dmpFilesize
1.2MB
-
memory/4268-137-0x00000000030C0000-0x0000000003187000-memory.dmpFilesize
796KB
-
memory/4268-138-0x0000000003190000-0x0000000003244000-memory.dmpFilesize
720KB
-
memory/4268-139-0x0000000003190000-0x0000000003244000-memory.dmpFilesize
720KB
-
memory/4268-141-0x0000000002FA0000-0x00000000030B5000-memory.dmpFilesize
1.1MB