de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067

Analysis

max time kernel
92s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067.exe
Size

100KB
MD5

4b5a55a7313ee1aef50e8e69b57d24a3
SHA1

7918d7d38f7736abb7920ea41e1bb2ed27d2814f
SHA256

de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067
SHA512

8cbd139cec215c8c263b45be969f61296259fd8f2476a28389cc6b53585ae7d4cfd121525bebd4b5a1f7f590495e54cc98d0aaa37bbafedd39c79b05624c6b62
SSDEEP

1536:qPqyxhSQPxv17l3OPIrel9pEH4XUaWRJpAgU:qPqyxDPxaPIriq/pAgU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

pracess4.exe

pid process

2352 pracess4.exe

pid	process
2352	pracess4.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067.exepracess4.exe

pid process

4216 de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067.exe
2352 pracess4.exe

pid	process
4216	de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067.exe
2352	pracess4.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067.exe

description	pid	process	target process
PID 4216 wrote to memory of 2352	4216	de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067.exe	pracess4.exe
PID 4216 wrote to memory of 2352	4216	de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067.exe	pracess4.exe
PID 4216 wrote to memory of 2352	4216	de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067.exe	pracess4.exe

C:\Users\Admin\AppData\Local\Temp\de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067.exe
"C:\Users\Admin\AppData\Local\Temp\de49913976e5de38c57ffabbdfcbb4a5c78f0f8142d8bc7a685dacaddcdfb067.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\pracess4.exe
  "C:\Users\Admin\AppData\Local\Temp\pracess4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pracess4.exe

Filesize
80KB

MD5
194b6beb23300a53bb339d2e6c5e43d2

SHA1
cf937940247caeabffeb016293082f2df6561cc5

SHA256
98db74f58d3d646d1d5baccaa5d47417a909f4c709ecdfd5be1c241da646f510

SHA512
c7a21f4a5f940ebf9d7d0a9b7866a068b356086481edc6e248801f56703e25389dc35ed5de2c81a3c723c208ee2cdb99dadcfd772e30393ed8b26f694b90c844

Download Submit
C:\Users\Admin\AppData\Local\Temp\pracess4.exe

Filesize
80KB

MD5
194b6beb23300a53bb339d2e6c5e43d2

SHA1
cf937940247caeabffeb016293082f2df6561cc5

SHA256
98db74f58d3d646d1d5baccaa5d47417a909f4c709ecdfd5be1c241da646f510

SHA512
c7a21f4a5f940ebf9d7d0a9b7866a068b356086481edc6e248801f56703e25389dc35ed5de2c81a3c723c208ee2cdb99dadcfd772e30393ed8b26f694b90c844

Download Submit
memory/2352-134-0x0000000000000000-mapping.dmp

Download