Analysis
-
max time kernel
193s -
max time network
225s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 15:18
Static task
static1
Behavioral task
behavioral1
Sample
d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe
Resource
win10v2004-20221111-en
General
-
Target
d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe
-
Size
913KB
-
MD5
67de448a65e1e16d4a1d6f5a65b4c61a
-
SHA1
ab7166a256aad0180e46e88d2169b4cadaf1ebf4
-
SHA256
d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9
-
SHA512
47f477732c88f3e7f99273c4dbd563dfd288be342af08bbca60e1020e65b4d32199b85bf6a15cbe93f6e4e0e47d42915b1a42b5e2ed5193aaf30d888e38cc29e
-
SSDEEP
12288:yK2mhAMJ/cPltTiD8/HBP7v8h7UZYE82Y5UKUL4n4y3Xp3SbSl/ADUnr:z2O/GltWD8fBPA7g6zwm4m53Sb2YDUnr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
lokdpnhssmcq.exepid process 4536 lokdpnhssmcq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
lokdpnhssmcq.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce lokdpnhssmcq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\I5D9G4~1 = "C:\\Users\\Admin\\I5D9G4~1\\nspfptok.vbs" lokdpnhssmcq.exe -
Processes:
lokdpnhssmcq.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lokdpnhssmcq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
lokdpnhssmcq.exepid process 4536 lokdpnhssmcq.exe 4536 lokdpnhssmcq.exe 4536 lokdpnhssmcq.exe 4536 lokdpnhssmcq.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exelokdpnhssmcq.exedescription pid process target process PID 1352 wrote to memory of 4536 1352 d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe lokdpnhssmcq.exe PID 1352 wrote to memory of 4536 1352 d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe lokdpnhssmcq.exe PID 1352 wrote to memory of 4536 1352 d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe lokdpnhssmcq.exe PID 4536 wrote to memory of 4388 4536 lokdpnhssmcq.exe RegSvcs.exe PID 4536 wrote to memory of 4388 4536 lokdpnhssmcq.exe RegSvcs.exe PID 4536 wrote to memory of 4388 4536 lokdpnhssmcq.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe"C:\Users\Admin\AppData\Local\Temp\d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\i5d9g4jxa83i\lokdpnhssmcq.exe"C:\Users\Admin\i5d9g4jxa83i\lokdpnhssmcq.exe" mevvzby2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\I5D9G4~1\gjsenxmaomap.UOXFilesize
89B
MD56555605040d90d02e35161f27518821f
SHA18979afd72300842935326852bb4bdcd28040c27f
SHA25687acbecbc873d2523c8937afb7a79ce8a724c96863030552510b71ebfb39d654
SHA5128aaf385bd1e9e35982799722caf7d384208bb1ddb9718a6d20772e26fb37376fe7108f8ed4c5eb18275c7de78041f72c4e059d93b527a8eb1a595e8dfd8f28a7
-
C:\Users\Admin\I5D9G4~1\yweh.BZKFilesize
84KB
MD5a3996a84f8c3744b541d3388bcdda83c
SHA180b28686fdb20bd666a199860af5d48caa3a57d1
SHA256a8190c726d39e659579a4705ed113b900257e50eb83f626df90e82b179b18fe6
SHA512c04ead0005b5697f8c38b8e13456a9172d0106219db444294b8bcd90ca172ef6598c179f566ee0a8ff6c834c59a7053aef1f3453e442063fcf0db989eef85527
-
C:\Users\Admin\i5d9g4jxa83i\lokdpnhssmcq.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\i5d9g4jxa83i\lokdpnhssmcq.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\i5d9g4jxa83i\mevvzbyFilesize
646.8MB
MD5e9ca388696fb78f1ada8e734de03885e
SHA17676ce9afc658edece20ef05c57bb9cf5fa22b0a
SHA256a47b9aff9070bbca23bd4610bffd2f8a71fb11ad4f009a2dcfee7903883b9d69
SHA512bc84e2e71c92086c594c30a9ab3c2e7884f706c47540ba6be58938c515393645ae728ec334954ba5fa193dd1f1798c453fdbeaa81eb182f7856b71d1a88ef980
-
memory/4388-138-0x0000000000000000-mapping.dmp
-
memory/4536-132-0x0000000000000000-mapping.dmp