7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0

Analysis

max time kernel
118s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 10:45 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe
Size

1.5MB
MD5

83cd357f062ab0ac56ff2fe5ee2085cf
SHA1

805d31221d8557c954bd1b8b185876679803c239
SHA256

7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0
SHA512

d1c544d1b3ccec59497c89fa7aebec210df1d4b73e4cf1097b3acd34005877ab8aec5c3cb188697f531a91b73eddc4031feec7a658c37fcaea1dc5914cd0c719
SSDEEP

24576:Hpa/O74CNt3r2J2FC3eUldZUJ3OlKU4UDcc6Cy+9eGd:wcZC35VcOcmDcc6CdD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5052 set thread context of 4980	5052	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
944	PING.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4980	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe
4980	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe
4980	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe
4980	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe
4980	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1680	5052	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe	82
PID 5052 wrote to memory of 1680	5052	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe	82
PID 5052 wrote to memory of 1680	5052	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe	82
PID 5052 wrote to memory of 4980	5052	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe	84
PID 5052 wrote to memory of 4980	5052	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe	84
PID 5052 wrote to memory of 4980	5052	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe	84
PID 5052 wrote to memory of 4980	5052	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe	84
PID 5052 wrote to memory of 4980	5052	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe	84
PID 5052 wrote to memory of 4980	5052	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe	84
PID 5052 wrote to memory of 4980	5052	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe	84
PID 5052 wrote to memory of 4980	5052	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe	84
PID 5052 wrote to memory of 4980	5052	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe	84
PID 5052 wrote to memory of 4980	5052	7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe	84
PID 1680 wrote to memory of 944	1680	cmd.exe	85
PID 1680 wrote to memory of 944	1680	cmd.exe	85
PID 1680 wrote to memory of 944	1680	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe
"C:\Users\Admin\AppData\Local\Temp\7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping -c 5 8.8.8.8
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\PING.EXE
    ping -c 5 8.8.8.8
    3⤵
    - Runs ping.exe
    PID:944
- C:\Users\Admin\AppData\Local\Temp\7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe
  "C:\Users\Admin\AppData\Local\Temp\7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4980

Network

DNS

5zmmi09ewy.1qwkngh17b.com

7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe

Remote address:

8.8.8.8:53

Request

5zmmi09ewy.1qwkngh17b.com

IN A

Response

93.184.221.240:80

260 B
5
93.184.220.29:80

322 B
7
93.184.221.240:80

322 B
7
13.69.239.74:443

322 B
7
104.80.229.204:443

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

260 B
5
93.184.221.240:80

260 B
5

8.8.8.8:53

5zmmi09ewy.1qwkngh17b.com

dns

7c88f348aa64dd12c03b6ac62d6b98892a200a9892bc3775c297882d17694bb0.exe

71 B
144 B
1
1

DNS Request

5zmmi09ewy.1qwkngh17b.com

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4980-134-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4980-135-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4980-136-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4980-138-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4980-139-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download