0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca

Analysis

max time kernel
213s
max time network
246s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe
Size

202KB
MD5

6c33623044bed83d7ab579bb8dff8fea
SHA1

1181d74579c8eccc84ea5ceaf5eb85bc8934dc99
SHA256

0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca
SHA512

55528c731445b86dceb5ca06bea56dbe240e3af1b4976955abe49fb16391ae24163f5d47a33f048ec1f74c093c38124c2750a90a716f219c10e7331bb95c9c2c
SSDEEP

3072:sUhH+lIxpQoyjeRhDMiERHi+Oaf9ZJq8/Ng8TTeYEUhOrGp2:V+qXDyShD0Fi+df9ZYaJmYZA0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4304	LocalhhNFCSRcmz.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	LocalhhNFCSRcmz.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 4304	2164	0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe	82
PID 2164 wrote to memory of 4304	2164	0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe	82
PID 2164 wrote to memory of 4304	2164	0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe	82

C:\Users\Admin\AppData\Local\Temp\0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe
"C:\Users\Admin\AppData\Local\Temp\0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe
  "C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe

Filesize
72KB

MD5
8ade27886bd4b45661361a87ff22540d

SHA1
705d67ad604f5a2ed770a8025299405ee665beac

SHA256
c1528516efee7e396698ce83ddb177e83e797b3df6f6de1c60421239e67dc942

SHA512
6d62f9197ddcbd0ede17686398dc527946a47fb48860e3c054cbd365bf630d44eba418652798ef8a1eded8c800d5b7c87d9d8742d3061ff7a629809c8958800a

Download Submit
C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe

Filesize
72KB

MD5
8ade27886bd4b45661361a87ff22540d

SHA1
705d67ad604f5a2ed770a8025299405ee665beac

SHA256
c1528516efee7e396698ce83ddb177e83e797b3df6f6de1c60421239e67dc942

SHA512
6d62f9197ddcbd0ede17686398dc527946a47fb48860e3c054cbd365bf630d44eba418652798ef8a1eded8c800d5b7c87d9d8742d3061ff7a629809c8958800a

Download Submit
memory/2164-132-0x00007FFED9000000-0x00007FFED9A36000-memory.dmp

Filesize
10.2MB

Download
memory/4304-136-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/4304-137-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download