8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213

Analysis

max time kernel
324s
max time network
378s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe
Size

203KB
MD5

add1972205939a6a4a50f6020faada08
SHA1

bea81e70bbf8707e8bdf0bb1bb042aa2ef6e7ab6
SHA256

8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213
SHA512

05822d9b1b822469e1a530d7b9f6fc87d4c3f20d4129db57dd43ac0a9f647ea74c537408e8aa418dc1ad4723f17d02e722579b6710d79d377f67e50c8e2ea1fc
SSDEEP

3072:hwxVMhOC/dTDbq91+mno3t4QZQ3rtxB5vvexow+oAXLLVMRlSZZzzBL:hTfFDbRnOTrt57LNHzF

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

3116 server.exe

pid	process
3116	server.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

server.exe

pid process

3116 server.exe
3116 server.exe
3116 server.exe
3116 server.exe

pid	process
3116	server.exe
3116	server.exe
3116	server.exe
3116	server.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exeserver.exe

description	pid	process	target process
PID 4628 wrote to memory of 3116	4628	8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe	server.exe
PID 4628 wrote to memory of 3116	4628	8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe	server.exe
PID 4628 wrote to memory of 3116	4628	8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe	server.exe
PID 3116 wrote to memory of 668	3116	server.exe	Explorer.EXE
PID 3116 wrote to memory of 668	3116	server.exe	Explorer.EXE
PID 3116 wrote to memory of 668	3116	server.exe	Explorer.EXE
PID 3116 wrote to memory of 668	3116	server.exe	Explorer.EXE
PID 3116 wrote to memory of 668	3116	server.exe	Explorer.EXE
PID 3116 wrote to memory of 668	3116	server.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe
"C:\Users\Admin\AppData\Local\Temp\8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4628

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
6c9fec39742d63543f96f1b4fd2e241d

SHA1
3d31f79da5f61dea342ca6e2e3ba5b6a8c43b384

SHA256
c9718d91177b99a336c04c91013f310727a90eb4621edb16a9b97c9c5c8d4de0

SHA512
08cddba84ee608c61f7e6362165339524bc94b8cacaf62e629d83326a9fd033d5c1c75067c6b7a8fb1240f0c586ff83dffb2734d1eb852da72cc3df913824bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
6c9fec39742d63543f96f1b4fd2e241d

SHA1
3d31f79da5f61dea342ca6e2e3ba5b6a8c43b384

SHA256
c9718d91177b99a336c04c91013f310727a90eb4621edb16a9b97c9c5c8d4de0

SHA512
08cddba84ee608c61f7e6362165339524bc94b8cacaf62e629d83326a9fd033d5c1c75067c6b7a8fb1240f0c586ff83dffb2734d1eb852da72cc3df913824bc3

Download Submit
memory/668-135-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download
memory/3116-132-0x0000000000000000-mapping.dmp

Download
memory/3116-136-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3116-137-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download