Analysis
-
max time kernel
159s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 10:40
Static task
static1
Behavioral task
behavioral1
Sample
b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f.exe
Resource
win10v2004-20221111-en
General
-
Target
b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f.exe
-
Size
24KB
-
MD5
8552d57b2bcac7b80b7c3d15d1f4abfb
-
SHA1
b59da154ef1341f7ef6f2fd86e307261ae8b9810
-
SHA256
b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f
-
SHA512
b0c002f775a255dfc0463609e5b07364da5b19c6190c8a5eeb3c113ff9a07990bc7d9e24c217af44f65695732f1da51294aa54e1d109afd93edb0db21d162ff1
-
SSDEEP
384:GLfw1wdTQTls4Ynp36Ky+do4kfaqCKy1Xs2mU:GrGwdsTlV4K+dotaqCKEX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ygczw.exepid process 4120 ygczw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f.exedescription pid process target process PID 908 wrote to memory of 4120 908 b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f.exe ygczw.exe PID 908 wrote to memory of 4120 908 b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f.exe ygczw.exe PID 908 wrote to memory of 4120 908 b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f.exe ygczw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f.exe"C:\Users\Admin\AppData\Local\Temp\b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ygczw.exe"C:\Users\Admin\AppData\Local\Temp\ygczw.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ygczw.exeFilesize
24KB
MD52597bc1284c04a8d443df69408d43ea1
SHA1170a3d541e57ed6df3eae0a74dea998a91aecd81
SHA25655d02bf04f75887213682d336d0951a995ba64a3d06369c08e1af669f818d3fb
SHA5123facacf3e13697f16f52b0c2b62986da17d20d236a790ef7db4c79e8c0271c3d1655bb4d257149ec107877d6dffe09040bfdb3ca4d520920561931852008b048
-
C:\Users\Admin\AppData\Local\Temp\ygczw.exeFilesize
24KB
MD52597bc1284c04a8d443df69408d43ea1
SHA1170a3d541e57ed6df3eae0a74dea998a91aecd81
SHA25655d02bf04f75887213682d336d0951a995ba64a3d06369c08e1af669f818d3fb
SHA5123facacf3e13697f16f52b0c2b62986da17d20d236a790ef7db4c79e8c0271c3d1655bb4d257149ec107877d6dffe09040bfdb3ca4d520920561931852008b048
-
memory/908-132-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/908-133-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4120-134-0x0000000000000000-mapping.dmp
-
memory/4120-138-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB