d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3

Analysis

max time kernel
307s
max time network
343s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe
Size

1.7MB
MD5

e9427f90fa6a5eeae0cd35ba233b8ef5
SHA1

de895483069263701470cd8d5ed17faa6f9997e8
SHA256

d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3
SHA512

b2605f9ec45e5ecb63d63decb3d934e724adb0c35945c110c7e1775e9516f1b8b5dfe1814e98c372d40c487e05ad86073f84593a783ed5b47ad4c7e7d54bd23b
SSDEEP

49152:Jkwkn9IMHeaCZ5HMAn1+PcYpcH025aPCS:ydnVA5xn1fxH02sPC

Score

9^/10

Malware Config

Signatures

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6104\6104.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\6104\6104.exe	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6104\6104.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\6104\6104.exe	WebBrowserPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6104\6104.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\6104\6104.exe	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

6104.exe

pid process

1208 6104.exe

pid	process
1208	6104.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe

description	pid	process	target process
PID 4436 wrote to memory of 1208	4436	d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe	6104.exe
PID 4436 wrote to memory of 1208	4436	d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe	6104.exe
PID 4436 wrote to memory of 1208	4436	d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe	6104.exe

C:\Users\Admin\AppData\Local\Temp\d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe
"C:\Users\Admin\AppData\Local\Temp\d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4436

C:\Users\Admin\AppData\Local\Temp\6104\6104.exe
"C:\Users\Admin\AppData\Local\Temp\6104\6104.exe"
2⤵
- Executes dropped EXE
PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6104\6104.exe
Filesize
936KB

MD5
09f4a08b5e5082acaa707b33d8ff7b54

SHA1
df3f00a21517c662232f5faf2d10532cdb0dfcd7

SHA256
9a60e31e4f3f246651737cb069a364d0ca9925609c5f25e641cebd84ce0c17eb

SHA512
dbca8f650cfcba4738a331c3bc243e984a11fb38e1b05172294575e135e98b7c8b7fc7a5039e5acc51c4dcea90380ad6d86b5f32fd82bca042ccb5b49ac0f566

Download Submit
C:\Users\Admin\AppData\Local\Temp\6104\6104.exe
Filesize
936KB

MD5
09f4a08b5e5082acaa707b33d8ff7b54

SHA1
df3f00a21517c662232f5faf2d10532cdb0dfcd7

SHA256
9a60e31e4f3f246651737cb069a364d0ca9925609c5f25e641cebd84ce0c17eb

SHA512
dbca8f650cfcba4738a331c3bc243e984a11fb38e1b05172294575e135e98b7c8b7fc7a5039e5acc51c4dcea90380ad6d86b5f32fd82bca042ccb5b49ac0f566

Download Submit
memory/1208-132-0x0000000000000000-mapping.dmp

Download
memory/1208-135-0x0000000073010000-0x00000000735C1000-memory.dmp

Filesize
5.7MB

Download
memory/1208-136-0x0000000073010000-0x00000000735C1000-memory.dmp

Filesize
5.7MB

Download