81e695f628436a4850bec46b3f90906433a0d11ae163f298f48fae788362d29a

Analysis

max time kernel
188s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81e695f628436a4850bec46b3f90906433a0d11ae163f298f48fae788362d29a.exe
Size

18KB
MD5

840b3b6a714f7330706f0c19f99d5eb8
SHA1

6bd97b730e176560752902a2cfe968db6c7860e3
SHA256

81e695f628436a4850bec46b3f90906433a0d11ae163f298f48fae788362d29a
SHA512

ad2816a99f227ca6e5e3f9e2c117f2a5311d98e635619d4d163d3db9369ebd511167715685588b6cde85a5176216e317d947f3ddf94450195ba7cbace53cfd17
SSDEEP

192:K790pylszn3MPFjuOZrCZ047a1oyn361miLMgepar8Vd/:s2pzn4sOZrCv7a18wiLMge68Vd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vytkz.exe

pid process

4132 vytkz.exe

pid	process
4132	vytkz.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

81e695f628436a4850bec46b3f90906433a0d11ae163f298f48fae788362d29a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	81e695f628436a4850bec46b3f90906433a0d11ae163f298f48fae788362d29a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

81e695f628436a4850bec46b3f90906433a0d11ae163f298f48fae788362d29a.exe

description	pid	process	target process
PID 3412 wrote to memory of 4132	3412	81e695f628436a4850bec46b3f90906433a0d11ae163f298f48fae788362d29a.exe	vytkz.exe
PID 3412 wrote to memory of 4132	3412	81e695f628436a4850bec46b3f90906433a0d11ae163f298f48fae788362d29a.exe	vytkz.exe
PID 3412 wrote to memory of 4132	3412	81e695f628436a4850bec46b3f90906433a0d11ae163f298f48fae788362d29a.exe	vytkz.exe

C:\Users\Admin\AppData\Local\Temp\81e695f628436a4850bec46b3f90906433a0d11ae163f298f48fae788362d29a.exe
"C:\Users\Admin\AppData\Local\Temp\81e695f628436a4850bec46b3f90906433a0d11ae163f298f48fae788362d29a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3412

C:\Users\Admin\AppData\Local\Temp\vytkz.exe
"C:\Users\Admin\AppData\Local\Temp\vytkz.exe"
2⤵
- Executes dropped EXE
PID:4132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vytkz.exe

Filesize
18KB

MD5
0d644f2942a7701ea9284c335b7c08b0

SHA1
efc5ebda9a2a7a67140ffe37ba8186a6fb142aab

SHA256
fd59c915723d44c7fb5f2bf79085adc17290c8257ae9f8e0f25180914e683022

SHA512
991110f0b88427a02e3f419a2f6d32d7fd5d928864648be9e6f0b5becee9a1ec0db12af3aa083681648e12ebb90aa3b3bcbceda3959fcfa7b33750dbefa04343

Download Submit
C:\Users\Admin\AppData\Local\Temp\vytkz.exe

Filesize
18KB

MD5
0d644f2942a7701ea9284c335b7c08b0

SHA1
efc5ebda9a2a7a67140ffe37ba8186a6fb142aab

SHA256
fd59c915723d44c7fb5f2bf79085adc17290c8257ae9f8e0f25180914e683022

SHA512
991110f0b88427a02e3f419a2f6d32d7fd5d928864648be9e6f0b5becee9a1ec0db12af3aa083681648e12ebb90aa3b3bcbceda3959fcfa7b33750dbefa04343

Download Submit
memory/3412-132-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4132-133-0x0000000000000000-mapping.dmp

Download
memory/4132-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download