Analysis
-
max time kernel
148s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:15
Static task
static1
Behavioral task
behavioral1
Sample
980b574cdf4c4f7249d7c1e065246a48b56727368b20cf5a03aa284d236b5bbf.exe
Resource
win10v2004-20220812-en
General
-
Target
980b574cdf4c4f7249d7c1e065246a48b56727368b20cf5a03aa284d236b5bbf.exe
-
Size
1.7MB
-
MD5
369c9c77c1643975a9c093c3f776c2ac
-
SHA1
8a079e78eab762336d2250e04b628711da89a464
-
SHA256
980b574cdf4c4f7249d7c1e065246a48b56727368b20cf5a03aa284d236b5bbf
-
SHA512
593ee7d4f6f4e02a808108f37a9daed770d410e080ec3097c40b8de30eb30c30d16a495cae3fcc7801e3b981d01fe6213a5143665a70f34bf45e7bf83b2b2972
-
SSDEEP
49152:zunBfk3AMQE4g2FHTy9rZnXEjPtzQqVsXk+keT:zKBfk3ADh1arZn0jPtzd+kQ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
980b574cdf4c4f7249d7c1e065246a48b56727368b20cf5a03aa284d236b5bbf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 980b574cdf4c4f7249d7c1e065246a48b56727368b20cf5a03aa284d236b5bbf.exe -
Loads dropped DLL 1 IoCs
Processes:
msiexec.exepid process 4688 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
980b574cdf4c4f7249d7c1e065246a48b56727368b20cf5a03aa284d236b5bbf.exedescription pid process target process PID 3500 wrote to memory of 4688 3500 980b574cdf4c4f7249d7c1e065246a48b56727368b20cf5a03aa284d236b5bbf.exe msiexec.exe PID 3500 wrote to memory of 4688 3500 980b574cdf4c4f7249d7c1e065246a48b56727368b20cf5a03aa284d236b5bbf.exe msiexec.exe PID 3500 wrote to memory of 4688 3500 980b574cdf4c4f7249d7c1e065246a48b56727368b20cf5a03aa284d236b5bbf.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\980b574cdf4c4f7249d7c1e065246a48b56727368b20cf5a03aa284d236b5bbf.exe"C:\Users\Admin\AppData\Local\Temp\980b574cdf4c4f7249d7c1e065246a48b56727368b20cf5a03aa284d236b5bbf.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" -Y .\V_YWT.d2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\V_YWT.dFilesize
2.1MB
MD514aaa15ee8eabc0498dcc092ca789169
SHA18e053cf4dbc7bed60d34e445bac5fc956f9dc03b
SHA256a8d3d3608d0112d94ea78be633e9202744851d37ce84fa161487a8349124eafd
SHA512a461e51cdb7de0a0bab2473c0a8808b53bb7c92da96fde70a7a6c5b97d6e30d7eb5a4504b6a2d4292129c313e97ac81d4ef9c0ab8ce04b1c392d943d4e27bf5f
-
C:\Users\Admin\AppData\Local\Temp\v_yWT.dFilesize
2.1MB
MD514aaa15ee8eabc0498dcc092ca789169
SHA18e053cf4dbc7bed60d34e445bac5fc956f9dc03b
SHA256a8d3d3608d0112d94ea78be633e9202744851d37ce84fa161487a8349124eafd
SHA512a461e51cdb7de0a0bab2473c0a8808b53bb7c92da96fde70a7a6c5b97d6e30d7eb5a4504b6a2d4292129c313e97ac81d4ef9c0ab8ce04b1c392d943d4e27bf5f
-
memory/4688-132-0x0000000000000000-mapping.dmp
-
memory/4688-135-0x00000000032E0000-0x0000000003493000-memory.dmpFilesize
1.7MB
-
memory/4688-136-0x00000000035E0000-0x0000000003721000-memory.dmpFilesize
1.3MB
-
memory/4688-137-0x0000000003730000-0x00000000037FF000-memory.dmpFilesize
828KB
-
memory/4688-138-0x0000000003800000-0x00000000038BC000-memory.dmpFilesize
752KB
-
memory/4688-139-0x0000000003800000-0x00000000038BC000-memory.dmpFilesize
752KB
-
memory/4688-141-0x00000000035E0000-0x0000000003721000-memory.dmpFilesize
1.3MB