72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7

Analysis

max time kernel
163s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
Size

122KB
MD5

690b24181cb8167c60ab38848db6908e
SHA1

feacfbbeeedb488a39f9e0ea99c05432faafcbbc
SHA256

72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7
SHA512

af4ec0d69c7f8cfaf872f06cdf1bed08c139fd21873d04248bb9902701d6f0e2e15c81f6df1b58746b46f31544ea82cb470fa2cfcd673acf25015604ff1159af
SSDEEP

3072:zLk395hYXJEjLaMb4n3Hwcg74lTt0neAsnFN:zQqgDS3HlgUlTt0n8n3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2324	hdvid.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe

Loads dropped DLL 15 IoCs

pid	Process
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
2324	hdvid.exe
2324	hdvid.exe
2324	hdvid.exe
2324	hdvid.exe
2324	hdvid.exe
2324	hdvid.exe
2324	hdvid.exe
2324	hdvid.exe
2324	hdvid.exe
2324	hdvid.exe
2324	hdvid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x000300000002265a-137.dat	nsis_installer_1
behavioral2/files/0x000300000002265a-137.dat	nsis_installer_2
behavioral2/files/0x000300000002265a-138.dat	nsis_installer_1
behavioral2/files/0x000300000002265a-138.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2324	hdvid.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2324	1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe	83
PID 1452 wrote to memory of 2324	1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe	83
PID 1452 wrote to memory of 2324	1452	72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe	83

C:\Users\Admin\AppData\Local\Temp\72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe
"C:\Users\Admin\AppData\Local\Temp\72e93b14802cb3d7400ca46dda1f475b92e4a5cfda82629f67abf0d4b7dda7c7.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\hdvid.exe
  "C:\Users\Admin\AppData\Local\Temp\hdvid.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hdvid.exe

Filesize
70KB

MD5
40cc1fa11e302276e74d40121ac0793e

SHA1
d6061a14555210155a7ba75419062cb9ac389ead

SHA256
91302db86355b9bcecccbca73e2245db679aa24cda4f50d970d1c7952f48a633

SHA512
5fdefb437be562b52a6a42be6364d344e8b3cfb539d86e645bb4ba746cc4c6cd43d80eb134558d0e70f069160076897c232c7dacf2691c7bcf0e0d01d7930045

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdvid.exe

Filesize
70KB

MD5
40cc1fa11e302276e74d40121ac0793e

SHA1
d6061a14555210155a7ba75419062cb9ac389ead

SHA256
91302db86355b9bcecccbca73e2245db679aa24cda4f50d970d1c7952f48a633

SHA512
5fdefb437be562b52a6a42be6364d344e8b3cfb539d86e645bb4ba746cc4c6cd43d80eb134558d0e70f069160076897c232c7dacf2691c7bcf0e0d01d7930045

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh3FE8.tmp\StdUtils.dll

Filesize
18KB

MD5
e03876429de52398e49cf9b308ec97e2

SHA1
c540ca346d63666d40f7d64bec1fdc742ec9b7ae

SHA256
515f58aaad94e1a3c00577e258f9592f5e6eea32e0343392f4611852acf0f906

SHA512
c25ac014c77573af44d44f28ad547bd08f0c6f5b342d5d6269fcbd2dc92f8c2b859ea4091bec9c4e4ad8482b8951b03b526d4bfaddf8f802487d30348aaf627c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh3FE8.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh3FE8.tmp\nsProcess.dll

Filesize
4KB

MD5
faa7f034b38e729a983965c04cc70fc1

SHA1
df8bda55b498976ea47d25d8a77539b049dab55e

SHA256
579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

SHA512
7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh3FE8.tmp\nsProcess.dll

Filesize
4KB

MD5
faa7f034b38e729a983965c04cc70fc1

SHA1
df8bda55b498976ea47d25d8a77539b049dab55e

SHA256
579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

SHA512
7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3A7.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3A7.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3A7.tmp\inetc3.dll

Filesize
25KB

MD5
9d8ce05f532dc7b5742831ec8a63c2d8

SHA1
b014365f723c78a84bcdf8a46cfa016eb2b8dbc5

SHA256
fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982

SHA512
98f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3A7.tmp\inetc3.dll

Filesize
25KB

MD5
9d8ce05f532dc7b5742831ec8a63c2d8

SHA1
b014365f723c78a84bcdf8a46cfa016eb2b8dbc5

SHA256
fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982

SHA512
98f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3A7.tmp\inetc3.dll

Filesize
25KB

MD5
9d8ce05f532dc7b5742831ec8a63c2d8

SHA1
b014365f723c78a84bcdf8a46cfa016eb2b8dbc5

SHA256
fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982

SHA512
98f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3A7.tmp\inetc3.dll

Filesize
25KB

MD5
9d8ce05f532dc7b5742831ec8a63c2d8

SHA1
b014365f723c78a84bcdf8a46cfa016eb2b8dbc5

SHA256
fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982

SHA512
98f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3A7.tmp\inetc3.dll

Filesize
25KB

MD5
9d8ce05f532dc7b5742831ec8a63c2d8

SHA1
b014365f723c78a84bcdf8a46cfa016eb2b8dbc5

SHA256
fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982

SHA512
98f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3A7.tmp\inetc3.dll

Filesize
25KB

MD5
9d8ce05f532dc7b5742831ec8a63c2d8

SHA1
b014365f723c78a84bcdf8a46cfa016eb2b8dbc5

SHA256
fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982

SHA512
98f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3A7.tmp\inetc3.dll

Filesize
25KB

MD5
9d8ce05f532dc7b5742831ec8a63c2d8

SHA1
b014365f723c78a84bcdf8a46cfa016eb2b8dbc5

SHA256
fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982

SHA512
98f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3A7.tmp\inetc3.dll

Filesize
25KB

MD5
9d8ce05f532dc7b5742831ec8a63c2d8

SHA1
b014365f723c78a84bcdf8a46cfa016eb2b8dbc5

SHA256
fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982

SHA512
98f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3A7.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
memory/2324-145-0x00000000039E1000-0x00000000039E5000-memory.dmp

Filesize
16KB

Download
memory/2324-142-0x00000000031B1000-0x00000000031B3000-memory.dmp

Filesize
8KB

Download