90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4

Analysis

max time kernel
186s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4.exe
Size

20KB
MD5

ae3d2f8620f01c7b51dca829f8386dfa
SHA1

d8e6773649449577c1eb696077335ac1aa163f04
SHA256

90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4
SHA512

0298b764e4b3a8e38381aca355fbb20fb5cf6a48618712598d03915accea9c5d847574d9b3deb78471efe219ecb4f455041a2c0a05553298879dafc542e499d7
SSDEEP

192:1lF5m//mmV0VNUhlTg1oynlEwww8mbNpar8ws/:1lF5u+XVNu9g1fSPmbN68ws

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

kyyjs.exe

pid process

3144 kyyjs.exe

pid	process
3144	kyyjs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4.exe

description	pid	process	target process
PID 1140 wrote to memory of 3144	1140	90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4.exe	kyyjs.exe
PID 1140 wrote to memory of 3144	1140	90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4.exe	kyyjs.exe
PID 1140 wrote to memory of 3144	1140	90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4.exe	kyyjs.exe

C:\Users\Admin\AppData\Local\Temp\90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4.exe
"C:\Users\Admin\AppData\Local\Temp\90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\kyyjs.exe
  "C:\Users\Admin\AppData\Local\Temp\kyyjs.exe"
  2⤵
  - Executes dropped EXE
  PID:3144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kyyjs.exe

Filesize
20KB

MD5
23356ad3eee1a788fcb4cc73e156e2f0

SHA1
14d98c45b64f813c02be56c9a7436886603ab1ef

SHA256
fce9f4bb675d43e060e2df8313ddf7ea0845fd7bbb4d89d509787e49dff758c4

SHA512
7f38a8df896d8844024b52d7d76bd19eb872d581c13ba967ffe201c07cd8170d26b0c148f8f37df8c73a6d566d1aaf1adf59b88be940a88313e28d1248c0d6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyyjs.exe

Filesize
20KB

MD5
23356ad3eee1a788fcb4cc73e156e2f0

SHA1
14d98c45b64f813c02be56c9a7436886603ab1ef

SHA256
fce9f4bb675d43e060e2df8313ddf7ea0845fd7bbb4d89d509787e49dff758c4

SHA512
7f38a8df896d8844024b52d7d76bd19eb872d581c13ba967ffe201c07cd8170d26b0c148f8f37df8c73a6d566d1aaf1adf59b88be940a88313e28d1248c0d6a5

Download Submit
memory/1140-132-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3144-133-0x0000000000000000-mapping.dmp

Download
memory/3144-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download