b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96

Analysis

max time kernel
194s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe
Size

237KB
MD5

890dea3912c5b8ca265724d63a857785
SHA1

4cfd25004f97d07c0509b72d4c8e31769bb01528
SHA256

b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96
SHA512

cdcfddf5bf3f738f0e8772c883f92f9261d9d81ff033075e67686d41d31a3d472e4432f51921e58173f4424d7a24ac2b37b66bf916422c59ec34964defd2d89b
SSDEEP

6144:J1O+GaAr5UmGV/7QJ2A6XtbTEbEgyAXwU:JU+BmGV1A6XxEbEg8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe

description	pid	process	target process
PID 1860 set thread context of 4988	1860	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe

pid process

1860 b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe

pid	process
1860	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exenet.exe

description	pid	process	target process
PID 1860 wrote to memory of 3860	1860	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe	net.exe
PID 1860 wrote to memory of 3860	1860	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe	net.exe
PID 1860 wrote to memory of 3860	1860	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe	net.exe
PID 3860 wrote to memory of 3688	3860	net.exe	net1.exe
PID 3860 wrote to memory of 3688	3860	net.exe	net1.exe
PID 3860 wrote to memory of 3688	3860	net.exe	net1.exe
PID 1860 wrote to memory of 4988	1860	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe
PID 1860 wrote to memory of 4988	1860	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe
PID 1860 wrote to memory of 4988	1860	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe
PID 1860 wrote to memory of 4988	1860	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe
PID 1860 wrote to memory of 4988	1860	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe
PID 1860 wrote to memory of 4988	1860	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe
PID 1860 wrote to memory of 4988	1860	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe
PID 1860 wrote to memory of 4988	1860	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe	b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe

C:\Users\Admin\AppData\Local\Temp\b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe
"C:\Users\Admin\AppData\Local\Temp\b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop sharedaccess
2⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess
3⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe
"C:\Users\Admin\AppData\Local\Temp\b62791b9f59102b747b4100235e8ec2a128a61e745cab8f143dd7722a2afff96.exe"
2⤵
PID:4988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3688-135-0x0000000000000000-mapping.dmp

Download
memory/3860-134-0x0000000000000000-mapping.dmp

Download
memory/4988-136-0x0000000000000000-mapping.dmp

Download
memory/4988-137-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4988-139-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4988-140-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download