Analysis
-
max time kernel
2s -
max time network
6s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 22:36
Static task
static1
Behavioral task
behavioral1
Sample
1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe
Resource
win10v2004-20220901-en
General
-
Target
1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe
-
Size
817KB
-
MD5
2081d437e182ae1206c8536144650aed
-
SHA1
290f54279ccef388db484a3111f4100decdd66a0
-
SHA256
1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49
-
SHA512
c4edce1b095f28fb879c6b673e65a832f6b177d6365ed6675e0f6bc928aceb8091ed3e1c39b6694efd49c25ffcce3c1849f56f5b480f7f93c045e0d44fdc523e
-
SSDEEP
24576:iFszWS5ZkKpLURv9Ss8yuUBYxbTGFL0RHSiCh7AmxH2:iVKZ0v9mcp6g2
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exedescription pid process target process PID 4868 wrote to memory of 4816 4868 1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe CDClient.exe PID 4868 wrote to memory of 4816 4868 1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe CDClient.exe PID 4868 wrote to memory of 4816 4868 1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe CDClient.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe"C:\Users\Admin\AppData\Local\Temp\1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\CDClient.exe"C:\Users\Admin\AppData\Local\Temp\CDClient.exe"2⤵PID:4816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CDClient.exeFilesize
423KB
MD5533b96e8d3d34aa10d202367f6414769
SHA19dc5fb1e7472efa5ed09fa872fdd774de29fbdaf
SHA25613badcea0d904b84011c11e3827204a3ba5d4a8133a650ce8fbe58ab66608deb
SHA512e545a3fea504111dca0ba7f1dd26dd3a53b6e215b74b9e3800c1e271cf4e0b5b33a32d8be891a9fbe210848edb7e87defb117162efe271c7812158142213917b
-
memory/4816-132-0x0000000000000000-mapping.dmp