aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e

Analysis

max time kernel
151s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe
Size

60KB
MD5

25e5f4214ec58c53cc0f463e90e4eb99
SHA1

8b637146106a4502abbb6a40f435a823043c0315
SHA256

aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e
SHA512

aecba4a807b2528bfa7e559c2cb8dd725d09029cf523847cdb1ae5f7aa0cc18ba7e6b96345dd4708414950a35155fb3c8f6ae9f62c47eebd3e7c3947249368d2
SSDEEP

1536:V3cpyORJLuB4P4AJJv4Romu/v4ptqrmX+lE8QG+v:V3c1fP4AJJv45Slwj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe

Loads dropped DLL 9 IoCs

pid	Process
1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe
1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe
1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe
1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe
1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe
1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe
1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe
1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe
1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Internat Explorar\Desktop.ini	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe
File opened for modification	C:\Users\Public\Desktop\Internat Explorar\Desktop.ini	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tbgw.ico	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe
File opened for modification	C:\Windows\tbgw.ico	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 4256	1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe	84
PID 1344 wrote to memory of 4256	1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe	84
PID 1344 wrote to memory of 4256	1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe	84
PID 1344 wrote to memory of 1232	1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe	86
PID 1344 wrote to memory of 1232	1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe	86
PID 1344 wrote to memory of 1232	1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe	86
PID 1232 wrote to memory of 1348	1232	cmd.exe	89
PID 1232 wrote to memory of 1348	1232	cmd.exe	89
PID 1232 wrote to memory of 1348	1232	cmd.exe	89
PID 1344 wrote to memory of 4888	1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe	90
PID 1344 wrote to memory of 4888	1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe	90
PID 1344 wrote to memory of 4888	1344	aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe	90

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1348	attrib.exe

C:\Users\Admin\AppData\Local\Temp\aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe
"C:\Users\Admin\AppData\Local\Temp\aa092cf8b50553607c07750973bc47374830a88553cbd8cc3d26078433f1140e.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move "C:\Users\Admin\AppData\Local\Temp\Internat Explorar" "C:\Users\Public\Desktop\Internat Explorar"
  2⤵
  PID:4256
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib "C:\Users\Public\Desktop\Internat Explorar" +s
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Public\Desktop\Internat Explorar" +s
    3⤵
    - Views/modifies file attributes
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\temp_tmp.bat" "
  2⤵
  PID:4888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nspD2F7.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD2F7.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD2F7.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD2F7.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD2F7.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD2F7.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD2F7.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD2F7.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD2F7.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_tmp.bat

Filesize
250B

MD5
e768a2189ca46def58d064bbe60a80ae

SHA1
2793a3c5ed1b8e0a14b6027f44bed922df47180b

SHA256
c0e43939771f1c04aee4d0ae4344c307b74d69f5245541ae8f736cdc1b102327

SHA512
01445a829bb466c20c2b2ae3d6cdaef356802288feb610a95d837ecdea781cce2133b91d88bf8bc77f9a35c132ef24d5736fbc7825a23fc9847b4b1717606ea1

Download Submit
memory/1344-141-0x0000000003631000-0x0000000003633000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads