Analysis
-
max time kernel
307s -
max time network
343s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 09:40
Static task
static1
Behavioral task
behavioral1
Sample
d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe
Resource
win10v2004-20221111-en
General
-
Target
d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe
-
Size
1.7MB
-
MD5
e9427f90fa6a5eeae0cd35ba233b8ef5
-
SHA1
de895483069263701470cd8d5ed17faa6f9997e8
-
SHA256
d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3
-
SHA512
b2605f9ec45e5ecb63d63decb3d934e724adb0c35945c110c7e1775e9516f1b8b5dfe1814e98c372d40c487e05ad86073f84593a783ed5b47ad4c7e7d54bd23b
-
SSDEEP
49152:Jkwkn9IMHeaCZ5HMAn1+PcYpcH025aPCS:ydnVA5xn1fxH02sPC
Malware Config
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\6104\6104.exe MailPassView C:\Users\Admin\AppData\Local\Temp\6104\6104.exe MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\6104\6104.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\6104\6104.exe WebBrowserPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\6104\6104.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\6104\6104.exe Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
6104.exepid process 1208 6104.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exedescription pid process target process PID 4436 wrote to memory of 1208 4436 d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe 6104.exe PID 4436 wrote to memory of 1208 4436 d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe 6104.exe PID 4436 wrote to memory of 1208 4436 d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe 6104.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe"C:\Users\Admin\AppData\Local\Temp\d61b5219d90f738301b61a6c6f332ba8a6957084a10017c7b8fdd05188dcfac3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\6104\6104.exe"C:\Users\Admin\AppData\Local\Temp\6104\6104.exe"2⤵
- Executes dropped EXE
PID:1208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6104\6104.exeFilesize
936KB
MD509f4a08b5e5082acaa707b33d8ff7b54
SHA1df3f00a21517c662232f5faf2d10532cdb0dfcd7
SHA2569a60e31e4f3f246651737cb069a364d0ca9925609c5f25e641cebd84ce0c17eb
SHA512dbca8f650cfcba4738a331c3bc243e984a11fb38e1b05172294575e135e98b7c8b7fc7a5039e5acc51c4dcea90380ad6d86b5f32fd82bca042ccb5b49ac0f566
-
C:\Users\Admin\AppData\Local\Temp\6104\6104.exeFilesize
936KB
MD509f4a08b5e5082acaa707b33d8ff7b54
SHA1df3f00a21517c662232f5faf2d10532cdb0dfcd7
SHA2569a60e31e4f3f246651737cb069a364d0ca9925609c5f25e641cebd84ce0c17eb
SHA512dbca8f650cfcba4738a331c3bc243e984a11fb38e1b05172294575e135e98b7c8b7fc7a5039e5acc51c4dcea90380ad6d86b5f32fd82bca042ccb5b49ac0f566
-
memory/1208-132-0x0000000000000000-mapping.dmp
-
memory/1208-135-0x0000000073010000-0x00000000735C1000-memory.dmpFilesize
5.7MB
-
memory/1208-136-0x0000000073010000-0x00000000735C1000-memory.dmpFilesize
5.7MB