19b8c9f5ff2c350aab84ec505ff9698861241f3ceb7b0686aff0486502674d39

Analysis

max time kernel
214s
max time network
232s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19b8c9f5ff2c350aab84ec505ff9698861241f3ceb7b0686aff0486502674d39.exe
Size

25.3MB
MD5

902b9fcf23d2d0acab8c79c895dcaff2
SHA1

c28c882ed8023e6450c2d891a6666df09ef834a3
SHA256

19b8c9f5ff2c350aab84ec505ff9698861241f3ceb7b0686aff0486502674d39
SHA512

472eb587134a74b03429fe82b96bb6dd5ef6d4c497f6c69ee1719c85adad8606a4c6ddfb9dae90e62ced7d09467c15e50e74fdee2b6d8361b4bf4f13ec3dfc67
SSDEEP

786432:0fTzAyYY8Jrqs+RCUJq1NWzdlLU7RKJVKcop:0BYY8Bq/YP1cI7EJVSp

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3208	temp-jinshanduba.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	19b8c9f5ff2c350aab84ec505ff9698861241f3ceb7b0686aff0486502674d39.exe

Loads dropped DLL 1 IoCs

pid	Process
4824	19b8c9f5ff2c350aab84ec505ff9698861241f3ceb7b0686aff0486502674d39.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 3208	4824	19b8c9f5ff2c350aab84ec505ff9698861241f3ceb7b0686aff0486502674d39.exe	85
PID 4824 wrote to memory of 3208	4824	19b8c9f5ff2c350aab84ec505ff9698861241f3ceb7b0686aff0486502674d39.exe	85
PID 4824 wrote to memory of 3208	4824	19b8c9f5ff2c350aab84ec505ff9698861241f3ceb7b0686aff0486502674d39.exe	85

C:\Users\Admin\AppData\Local\Temp\19b8c9f5ff2c350aab84ec505ff9698861241f3ceb7b0686aff0486502674d39.exe
"C:\Users\Admin\AppData\Local\Temp\19b8c9f5ff2c350aab84ec505ff9698861241f3ceb7b0686aff0486502674d39.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\temp-jinshanduba.exe
  "C:\Users\Admin\AppData\Local\Temp\temp-jinshanduba.exe"
  2⤵
  - Executes dropped EXE
  PID:3208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jinshanduba.ini

Filesize
64B

MD5
3d3dac0cb47a85fdb1c0aea37d017255

SHA1
ab6d9fa649bcd73284e731e1ece87e41db3df6d7

SHA256
c689780073fc20c2f88d97c0a6ef285c4aae87a5e68265bf2d72289b0decaacd

SHA512
930c1c72763f26d8161f9acd87f7b0a2c7672da33a8f3f3547631cdd607b520a9f47d68691fade1218e3d9f7f29779083a2988e09792ebe4247d37b4a0059a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaB9DB.tmp\Banner.dll

Filesize
4KB

MD5
258dd27107feabb1969908a9387a79d7

SHA1
80f85b610e57d6ab07988cdae60c83300bef6a8f

SHA256
f4fc1344c32ad1c075067c6abfd168a1815dbc6f97103e83e7e8e708230889d2

SHA512
e2df96efab3ea794e75b6a3c9038601c7abd956b41fbbcc4fb60013e0d319d9978f539dc0f944778d05d2e384192d918e06dce8bf76f355d0cbfd142313b9a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp-jinshanduba.exe

Filesize
1.5MB

MD5
f6d846e43ac3b47d6366eb05d0b85ddb

SHA1
c3252b56dbc076cb3e232ce2e6a9aa18a11144a7

SHA256
5fbfe27a69498b83fab2447a509a746806d747dae201e9ea2b05286e433aa786

SHA512
0eb24ca46e60131d0006b586ac7ec0b77c9d4b85af1c2bbfe01a5306ea5a89a07562161fa60ffa475d66cedc43951377d92f11ceada8babc029bb04bd5a37f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp-jinshanduba.exe

Filesize
1.5MB

MD5
f6d846e43ac3b47d6366eb05d0b85ddb

SHA1
c3252b56dbc076cb3e232ce2e6a9aa18a11144a7

SHA256
5fbfe27a69498b83fab2447a509a746806d747dae201e9ea2b05286e433aa786

SHA512
0eb24ca46e60131d0006b586ac7ec0b77c9d4b85af1c2bbfe01a5306ea5a89a07562161fa60ffa475d66cedc43951377d92f11ceada8babc029bb04bd5a37f7a

Download Submit