1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49

Analysis

max time kernel
2s
max time network
6s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe
Size

817KB
MD5

2081d437e182ae1206c8536144650aed
SHA1

290f54279ccef388db484a3111f4100decdd66a0
SHA256

1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49
SHA512

c4edce1b095f28fb879c6b673e65a832f6b177d6365ed6675e0f6bc928aceb8091ed3e1c39b6694efd49c25ffcce3c1849f56f5b480f7f93c045e0d44fdc523e
SSDEEP

24576:iFszWS5ZkKpLURv9Ss8yuUBYxbTGFL0RHSiCh7AmxH2:iVKZ0v9mcp6g2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe

description	pid	process	target process
PID 4868 wrote to memory of 4816	4868	1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe	CDClient.exe
PID 4868 wrote to memory of 4816	4868	1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe	CDClient.exe
PID 4868 wrote to memory of 4816	4868	1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe	CDClient.exe

C:\Users\Admin\AppData\Local\Temp\1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe
"C:\Users\Admin\AppData\Local\Temp\1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\AppData\Local\Temp\CDClient.exe
"C:\Users\Admin\AppData\Local\Temp\CDClient.exe"
2⤵
PID:4816

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CDClient.exe
Filesize
423KB

MD5
533b96e8d3d34aa10d202367f6414769

SHA1
9dc5fb1e7472efa5ed09fa872fdd774de29fbdaf

SHA256
13badcea0d904b84011c11e3827204a3ba5d4a8133a650ce8fbe58ab66608deb

SHA512
e545a3fea504111dca0ba7f1dd26dd3a53b6e215b74b9e3800c1e271cf4e0b5b33a32d8be891a9fbe210848edb7e87defb117162efe271c7812158142213917b

Download Submit
memory/4816-132-0x0000000000000000-mapping.dmp

Download