338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b

Analysis

max time kernel
132s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe
Size

104KB
MD5

443a3a821ca830f39343008f40684170
SHA1

6daaa1be7e32c9eb4c9263045734f7ee965a0d93
SHA256

338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b
SHA512

99c1d179dc47305e885a7beb839b043a94e388c67573e86f6f9b2483cc1e769b13abedf8e8d3c01ffbfbe9600b7aa8fd7689b074ba08a6b602d9de3014ea48b7
SSDEEP

1536:nsxb38MhDn2fmAInL6yId2xdMGfR9TQ2g8cifaxK2jd3psK/OV16PZdpM2KczgBS:nu7nL6K7f3ixF2o9RH5BbtcH2Eq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

864 tasklist.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tasklist.exe

description pid process

Token: SeDebugPrivilege 864 tasklist.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe

pid process

1104 338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe

pid	process
864	tasklist.exe

description	pid	process
Token: SeDebugPrivilege	864	tasklist.exe

pid	process
1104	338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.execmd.exe

description	pid	process	target process
PID 1104 wrote to memory of 2580	1104	338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe	cmd.exe
PID 1104 wrote to memory of 2580	1104	338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe	cmd.exe
PID 1104 wrote to memory of 2580	1104	338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe	cmd.exe
PID 2580 wrote to memory of 864	2580	cmd.exe	tasklist.exe
PID 2580 wrote to memory of 864	2580	cmd.exe	tasklist.exe
PID 2580 wrote to memory of 864	2580	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe
"C:\Users\Admin\AppData\Local\Temp\338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe"
1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-135-0x0000000000000000-mapping.dmp

Download
memory/2580-134-0x0000000000000000-mapping.dmp

Download