88273c1e64e138eb104caf1c28f0e5c0f718c3bb00f191a91b3544fdf0f91223

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88273c1e64e138eb104caf1c28f0e5c0f718c3bb00f191a91b3544fdf0f91223.exe
Size

116KB
MD5

eb66549b348dbeeee5c887e8bd70d25f
SHA1

d486d3ecf7b735e0e2807dd4dc4f4a38bf78f6a9
SHA256

88273c1e64e138eb104caf1c28f0e5c0f718c3bb00f191a91b3544fdf0f91223
SHA512

30452a2caeb9e11e5c6ef34d91005d1c17ba589b6279fd8ad03e0c51eda5431a6991c23a1c777b620e60bc39997a69b51ee2a8d8e7b8f372b938b229af39eaaf
SSDEEP

3072:SEruu/ZRHSn0gl5ITg/hUm5AmQYAF8ZJJZXMCcx:bbcrl5IsXC8rJV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

LocalOoJPoRtNlt.exe

pid process

4596 LocalOoJPoRtNlt.exe

pid	process
4596	LocalOoJPoRtNlt.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

88273c1e64e138eb104caf1c28f0e5c0f718c3bb00f191a91b3544fdf0f91223.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	88273c1e64e138eb104caf1c28f0e5c0f718c3bb00f191a91b3544fdf0f91223.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

88273c1e64e138eb104caf1c28f0e5c0f718c3bb00f191a91b3544fdf0f91223.exe

description	pid	process	target process
PID 3360 wrote to memory of 4596	3360	88273c1e64e138eb104caf1c28f0e5c0f718c3bb00f191a91b3544fdf0f91223.exe	LocalOoJPoRtNlt.exe
PID 3360 wrote to memory of 4596	3360	88273c1e64e138eb104caf1c28f0e5c0f718c3bb00f191a91b3544fdf0f91223.exe	LocalOoJPoRtNlt.exe

C:\Users\Admin\AppData\Local\Temp\88273c1e64e138eb104caf1c28f0e5c0f718c3bb00f191a91b3544fdf0f91223.exe
"C:\Users\Admin\AppData\Local\Temp\88273c1e64e138eb104caf1c28f0e5c0f718c3bb00f191a91b3544fdf0f91223.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3360

C:\Users\Admin\AppData\LocalOoJPoRtNlt.exe
"C:\Users\Admin\AppData\LocalOoJPoRtNlt.exe"
2⤵
- Executes dropped EXE
PID:4596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalOoJPoRtNlt.exe

Filesize
16KB

MD5
2288662c817ae8006087b71ca1ae8235

SHA1
137141c396a6f6506d83781b2ef68a9ed81efe1f

SHA256
b3164b50f842a651470ecbb9fbcde3b9bb1341f21a6d5df08ae267e7298d3bdb

SHA512
52915510eae172327f543850e19a2ac0ad8afa72a2d09e13a9293b8dc5fc47692ab8d7413062be74d32151d93d2bb3823b780eb94b8a3b8e8a38d6df3b041ad0

Download Submit
C:\Users\Admin\AppData\LocalOoJPoRtNlt.exe

Filesize
16KB

MD5
2288662c817ae8006087b71ca1ae8235

SHA1
137141c396a6f6506d83781b2ef68a9ed81efe1f

SHA256
b3164b50f842a651470ecbb9fbcde3b9bb1341f21a6d5df08ae267e7298d3bdb

SHA512
52915510eae172327f543850e19a2ac0ad8afa72a2d09e13a9293b8dc5fc47692ab8d7413062be74d32151d93d2bb3823b780eb94b8a3b8e8a38d6df3b041ad0

Download Submit
memory/3360-132-0x00007FFB5BD60000-0x00007FFB5C796000-memory.dmp

Filesize
10.2MB

Download
memory/4596-133-0x0000000000000000-mapping.dmp

Download
memory/4596-136-0x00007FFB5BD60000-0x00007FFB5C796000-memory.dmp

Filesize
10.2MB

Download