652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa

Analysis

max time kernel
194s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe
Size

1.5MB
MD5

24974f49274397aa66000a14f8960819
SHA1

b47590b6a56684624c12bd157c22a3385a15b5c4
SHA256

652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa
SHA512

24bcc9ea0cc07e90f864b54c3979776a746fa422199e62e1d029a129d3df0f3dda0ca34c3b1b2bb237ec5e9ad2a942135d2dbae2ae16fea0e1408b69ad8b257b
SSDEEP

24576:Hpa/O74CNt3r2J2FC3eUldZUJ3OlKU4UDcc6Cy+9eGM:wcZC35VcOcmDcc6Cd6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4468 set thread context of 1456	4468	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1616	PING.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1456	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe
1456	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe
1456	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe
1456	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe
1456	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 3768	4468	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe	84
PID 4468 wrote to memory of 3768	4468	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe	84
PID 4468 wrote to memory of 3768	4468	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe	84
PID 4468 wrote to memory of 1456	4468	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe	85
PID 4468 wrote to memory of 1456	4468	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe	85
PID 4468 wrote to memory of 1456	4468	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe	85
PID 4468 wrote to memory of 1456	4468	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe	85
PID 4468 wrote to memory of 1456	4468	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe	85
PID 4468 wrote to memory of 1456	4468	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe	85
PID 4468 wrote to memory of 1456	4468	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe	85
PID 4468 wrote to memory of 1456	4468	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe	85
PID 4468 wrote to memory of 1456	4468	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe	85
PID 4468 wrote to memory of 1456	4468	652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe	85
PID 3768 wrote to memory of 1616	3768	cmd.exe	88
PID 3768 wrote to memory of 1616	3768	cmd.exe	88
PID 3768 wrote to memory of 1616	3768	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe
"C:\Users\Admin\AppData\Local\Temp\652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping -c 5 8.8.8.8
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\PING.EXE
    ping -c 5 8.8.8.8
    3⤵
    - Runs ping.exe
    PID:1616
- C:\Users\Admin\AppData\Local\Temp\652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe
  "C:\Users\Admin\AppData\Local\Temp\652c40deb78c98ad0d4b44a8077af3848be606562e928f1ce5283557d334d7fa.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1456-134-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1456-133-0x0000000000000000-mapping.dmp

Download
memory/1456-135-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1456-136-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1456-138-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1456-139-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1456-140-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1616-137-0x0000000000000000-mapping.dmp

Download
memory/3768-132-0x0000000000000000-mapping.dmp

Download