d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 10:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe
Size

1.5MB
MD5

9c0e09c805b601dffa5e5a85b750c543
SHA1

7705ee40311625a3486d3c537c788dd99d855a73
SHA256

d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039
SHA512

96f6609406e38bf715db6205a2ac37cd4102dbe30997f579377303c2875bc672889a704ea991dabdb483c5f675022869e5740a97f8580ad5eb7ef9f59308c94c
SSDEEP

24576:hpa/O74CNt3r2J2FC3eUldZUJ3OlKU4UDcc6Cy+9eGc:acZC35VcOcmDcc6Cd6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 384 set thread context of 5072	384	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4972	PING.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5072	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe
5072	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe
5072	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe
5072	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe
5072	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 3960	384	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe	80
PID 384 wrote to memory of 3960	384	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe	80
PID 384 wrote to memory of 3960	384	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe	80
PID 384 wrote to memory of 5072	384	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe	82
PID 384 wrote to memory of 5072	384	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe	82
PID 384 wrote to memory of 5072	384	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe	82
PID 384 wrote to memory of 5072	384	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe	82
PID 384 wrote to memory of 5072	384	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe	82
PID 384 wrote to memory of 5072	384	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe	82
PID 384 wrote to memory of 5072	384	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe	82
PID 384 wrote to memory of 5072	384	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe	82
PID 384 wrote to memory of 5072	384	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe	82
PID 384 wrote to memory of 5072	384	d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe	82
PID 3960 wrote to memory of 4972	3960	cmd.exe	83
PID 3960 wrote to memory of 4972	3960	cmd.exe	83
PID 3960 wrote to memory of 4972	3960	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe
"C:\Users\Admin\AppData\Local\Temp\d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping -c 5 8.8.8.8
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\PING.EXE
    ping -c 5 8.8.8.8
    3⤵
    - Runs ping.exe
    PID:4972
- C:\Users\Admin\AppData\Local\Temp\d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe
  "C:\Users\Admin\AppData\Local\Temp\d0313c6f72abb911d737969e5fa3716ceca79583299a15b070705e599038f039.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5072-135-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/5072-134-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/5072-136-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/5072-138-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/5072-139-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download