Analysis

  • max time kernel
    154s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 10:38

General

  • Target

    b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe

  • Size

    1.5MB

  • MD5

    d672a417c1bb5b2255674f43d53509b1

  • SHA1

    53d4553dc3ca8f1cb8bdbd039c7fa7a9567add97

  • SHA256

    b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d

  • SHA512

    150bbf0ac6029f9a208912a4b74cead7b57ae6c0a234d487ef969e831b401f84e24a1046bbc982ae93d6a98d90905e8d2596862152ff9b745213e09520fd5ba1

  • SSDEEP

    24576:Hpa/O74CNt3r2J2FC3eUldZUJ3OlKU4UDcc6Cy+9eG:wcZC35VcOcmDcc6Cd

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe
    "C:\Users\Admin\AppData\Local\Temp\b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping -c 5 8.8.8.8
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3928
      • C:\Windows\SysWOW64\PING.EXE
        ping -c 5 8.8.8.8
        3⤵
        • Runs ping.exe
        PID:3204
    • C:\Users\Admin\AppData\Local\Temp\b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe
      "C:\Users\Admin\AppData\Local\Temp\b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1824
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:256

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1824-133-0x0000000000000000-mapping.dmp

  • memory/1824-134-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/1824-135-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/1824-136-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/1824-138-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/1824-139-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/1824-140-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/3204-137-0x0000000000000000-mapping.dmp

  • memory/3928-132-0x0000000000000000-mapping.dmp