Analysis
-
max time kernel
206s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 07:25
Behavioral task
behavioral1
Sample
963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe
Resource
win10v2004-20220812-en
General
-
Target
963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe
-
Size
2.6MB
-
MD5
05d5981642e6cd89a646b1854be683e6
-
SHA1
0d987ced733fbf76a4623176c503802d2cfe3932
-
SHA256
963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63
-
SHA512
1c3250c03d1e88db47cc5fe07eab550dfb2598b89945f5e6754413f7a26b5949d996cd5ef4f616bb2c5a78e1c95f46eda1eec000e8ac40e16490281503baa7b5
-
SSDEEP
49152:9RQi1iyA3ePyFmITaqZ4juFqR0axwwed/TPY/7N/1Xx2Wp+:wF93cQmjA4aI0aSfOPXx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
1.exepid process 392 1.exe -
Processes:
resource yara_rule behavioral2/memory/3136-132-0x0000000000400000-0x00000000008FE000-memory.dmp vmprotect behavioral2/memory/3136-136-0x0000000000400000-0x00000000008FE000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe1.exepid process 3136 963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe 3136 963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe 392 1.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
1.exepid process 392 1.exe 392 1.exe 392 1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exedescription pid process target process PID 3136 wrote to memory of 392 3136 963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe 1.exe PID 3136 wrote to memory of 392 3136 963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe 1.exe PID 3136 wrote to memory of 392 3136 963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe"C:\Users\Admin\AppData\Local\Temp\963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
1.7MB
MD5726a11b7025866b24c2797b1b3355e1c
SHA1b54c54a1f26feec9f3078584789f00b7c5f57ea0
SHA256435e36cfe4b8bf8efeb70753db014a966ff42faeea48decb258ebf8afeb61a5a
SHA5122196fbc857bbfe6b4522c475a4dc0405ed2883ab214abd4f1ad05e3b6c5042c2cc59baf0dd0eab9c655531614c3e25238d0e41eced640eea0e486113204e1b85
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
1.7MB
MD5726a11b7025866b24c2797b1b3355e1c
SHA1b54c54a1f26feec9f3078584789f00b7c5f57ea0
SHA256435e36cfe4b8bf8efeb70753db014a966ff42faeea48decb258ebf8afeb61a5a
SHA5122196fbc857bbfe6b4522c475a4dc0405ed2883ab214abd4f1ad05e3b6c5042c2cc59baf0dd0eab9c655531614c3e25238d0e41eced640eea0e486113204e1b85
-
memory/392-133-0x0000000000000000-mapping.dmp
-
memory/3136-132-0x0000000000400000-0x00000000008FE000-memory.dmpFilesize
5.0MB
-
memory/3136-136-0x0000000000400000-0x00000000008FE000-memory.dmpFilesize
5.0MB