1f9621917578d1d5ec63c5b27bafd2fdf42f9af653d01419831be96436aa789e

Analysis

max time kernel
154s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trz6571.exe
Size

389KB
MD5

382d88e30ece53cce0046f1c26d6e4a5
SHA1

b583bafc20bc432ec0967e66ec496277ad75fd5d
SHA256

c9eccba716546375051f9c0e919b55875f158303baa508bf641690346a1af515
SHA512

483dd8c8cdb12096a65d9ee3c27ac97037d3e864b03082b4c18f5c6cefe5d2811adfba2a7643d9c3128093f22790823f3bc82d4b3f41b6f8e1683585976bd90f
SSDEEP

6144:b1dlZro5ycxfqg81E2nfzwG6D6cMYv+Izu50obEhajheQ6+sbG8ZxA01nAj5M:b1dlZo5yLRfV6lMW3zu50gEi41m01n3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Autoclick trackbar.exe

pid process

1476 Autoclick trackbar.exe

pid	process
1476	Autoclick trackbar.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

trz6571.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	trz6571.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

trz6571.exe

description	pid	process	target process
PID 3456 wrote to memory of 1476	3456	trz6571.exe	Autoclick trackbar.exe
PID 3456 wrote to memory of 1476	3456	trz6571.exe	Autoclick trackbar.exe

C:\Users\Admin\AppData\Local\Temp\trz6571.exe
"C:\Users\Admin\AppData\Local\Temp\trz6571.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3456

C:\Users\Admin\AppData\Local\Temp\Autoclick trackbar.exe
"C:\Users\Admin\AppData\Local\Temp\Autoclick trackbar.exe"
2⤵
- Executes dropped EXE
PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Autoclick trackbar.exe
Filesize
22KB

MD5
d9b6262c4c8e22ba78dbcd59e71eb6e9

SHA1
131eb2eb99839e84de5afb81b9481e5f87364b46

SHA256
33ab3bf5318f191d86c528e65956463811ede23c3743d28dce2b454049bca147

SHA512
376b49624f28bea838ac0c670ef98b500cc11f61175149c8c7aaf166039fe6c9619f49a52f78808369854d4e21a40b5d8884144bd15c063aa08b2e9bb0b64a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autoclick trackbar.exe
Filesize
22KB

MD5
d9b6262c4c8e22ba78dbcd59e71eb6e9

SHA1
131eb2eb99839e84de5afb81b9481e5f87364b46

SHA256
33ab3bf5318f191d86c528e65956463811ede23c3743d28dce2b454049bca147

SHA512
376b49624f28bea838ac0c670ef98b500cc11f61175149c8c7aaf166039fe6c9619f49a52f78808369854d4e21a40b5d8884144bd15c063aa08b2e9bb0b64a03

Download Submit
memory/1476-132-0x0000000000000000-mapping.dmp

Download
memory/1476-135-0x00007FF9C5510000-0x00007FF9C5F46000-memory.dmp

Filesize
10.2MB

Download