44f5d8791196affa766761fc60240311320c0fb7d2b08e6844a2441dd538f208

Analysis

max time kernel
74s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Curriculo_16-12-2014_com_foto.exe
Size

225KB
MD5

08f7c8d1094f0654318bd0c840c60767
SHA1

d7a6b244ed5ec090ed2877e32c2866b9119b34fd
SHA256

dc37f296876c1f813846a8285b8ad16c8c0426ebbe1a6e0ee753a90b8b5b3d66
SHA512

8f24028f6f55da4ccfa8cc70f93941434e6446260130986adfc03c7c7309381332853ab12489f98f3d9b8715327abc06fc6836037a0262d1f8d480b7cbc106c8
SSDEEP

3072:aFedCIIANhf0BPzqoTMD4RCRiq0YTaOlkwK5SYFiI+eTOSwdGsjWfHD1pTUaTKri:aAUDa0BwE4BQwK5SYF70SwYfjsaq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 4880	3340	Curriculo_16-12-2014_com_foto.exe	81
PID 3340 wrote to memory of 4880	3340	Curriculo_16-12-2014_com_foto.exe	81
PID 3340 wrote to memory of 4880	3340	Curriculo_16-12-2014_com_foto.exe	81
PID 3340 wrote to memory of 4880	3340	Curriculo_16-12-2014_com_foto.exe	81
PID 3340 wrote to memory of 4880	3340	Curriculo_16-12-2014_com_foto.exe	81
PID 3340 wrote to memory of 4880	3340	Curriculo_16-12-2014_com_foto.exe	81
PID 3340 wrote to memory of 4880	3340	Curriculo_16-12-2014_com_foto.exe	81
PID 3340 wrote to memory of 4880	3340	Curriculo_16-12-2014_com_foto.exe	81
PID 3340 wrote to memory of 4880	3340	Curriculo_16-12-2014_com_foto.exe	81
PID 3340 wrote to memory of 4880	3340	Curriculo_16-12-2014_com_foto.exe	81
PID 3340 wrote to memory of 4880	3340	Curriculo_16-12-2014_com_foto.exe	81
PID 3340 wrote to memory of 4880	3340	Curriculo_16-12-2014_com_foto.exe	81
PID 3340 wrote to memory of 4880	3340	Curriculo_16-12-2014_com_foto.exe	81
PID 3340 wrote to memory of 4880	3340	Curriculo_16-12-2014_com_foto.exe	81
PID 3340 wrote to memory of 3592	3340	Curriculo_16-12-2014_com_foto.exe	82
PID 3340 wrote to memory of 3592	3340	Curriculo_16-12-2014_com_foto.exe	82
PID 3340 wrote to memory of 3592	3340	Curriculo_16-12-2014_com_foto.exe	82
PID 3340 wrote to memory of 3592	3340	Curriculo_16-12-2014_com_foto.exe	82
PID 3340 wrote to memory of 3592	3340	Curriculo_16-12-2014_com_foto.exe	82
PID 3340 wrote to memory of 3592	3340	Curriculo_16-12-2014_com_foto.exe	82
PID 3340 wrote to memory of 3592	3340	Curriculo_16-12-2014_com_foto.exe	82
PID 3340 wrote to memory of 3592	3340	Curriculo_16-12-2014_com_foto.exe	82
PID 3340 wrote to memory of 3592	3340	Curriculo_16-12-2014_com_foto.exe	82
PID 3340 wrote to memory of 3592	3340	Curriculo_16-12-2014_com_foto.exe	82
PID 3340 wrote to memory of 3592	3340	Curriculo_16-12-2014_com_foto.exe	82
PID 3340 wrote to memory of 3592	3340	Curriculo_16-12-2014_com_foto.exe	82
PID 3340 wrote to memory of 3592	3340	Curriculo_16-12-2014_com_foto.exe	82
PID 3340 wrote to memory of 3592	3340	Curriculo_16-12-2014_com_foto.exe	82
PID 3340 wrote to memory of 4028	3340	Curriculo_16-12-2014_com_foto.exe	84
PID 3340 wrote to memory of 4028	3340	Curriculo_16-12-2014_com_foto.exe	84
PID 3340 wrote to memory of 4028	3340	Curriculo_16-12-2014_com_foto.exe	84
PID 3340 wrote to memory of 4028	3340	Curriculo_16-12-2014_com_foto.exe	84
PID 3340 wrote to memory of 4028	3340	Curriculo_16-12-2014_com_foto.exe	84
PID 3340 wrote to memory of 4028	3340	Curriculo_16-12-2014_com_foto.exe	84
PID 3340 wrote to memory of 4028	3340	Curriculo_16-12-2014_com_foto.exe	84
PID 3340 wrote to memory of 4028	3340	Curriculo_16-12-2014_com_foto.exe	84
PID 3340 wrote to memory of 4028	3340	Curriculo_16-12-2014_com_foto.exe	84
PID 3340 wrote to memory of 4028	3340	Curriculo_16-12-2014_com_foto.exe	84
PID 3340 wrote to memory of 4028	3340	Curriculo_16-12-2014_com_foto.exe	84
PID 3340 wrote to memory of 4028	3340	Curriculo_16-12-2014_com_foto.exe	84
PID 3340 wrote to memory of 4028	3340	Curriculo_16-12-2014_com_foto.exe	84
PID 3340 wrote to memory of 4028	3340	Curriculo_16-12-2014_com_foto.exe	84
PID 3340 wrote to memory of 1788	3340	Curriculo_16-12-2014_com_foto.exe	91
PID 3340 wrote to memory of 1788	3340	Curriculo_16-12-2014_com_foto.exe	91
PID 3340 wrote to memory of 1788	3340	Curriculo_16-12-2014_com_foto.exe	91
PID 1788 wrote to memory of 1156	1788	cmd.exe	93
PID 1788 wrote to memory of 1156	1788	cmd.exe	93
PID 1788 wrote to memory of 1156	1788	cmd.exe	93
PID 1156 wrote to memory of 5112	1156	WScript.exe	94
PID 1156 wrote to memory of 5112	1156	WScript.exe	94
PID 1156 wrote to memory of 5112	1156	WScript.exe	94
PID 5112 wrote to memory of 3088	5112	RunLegacyCPLElevated.exe	95
PID 5112 wrote to memory of 3088	5112	RunLegacyCPLElevated.exe	95

C:\Users\Admin\AppData\Local\Temp\Curriculo_16-12-2014_com_foto.exe
"C:\Users\Admin\AppData\Local\Temp\Curriculo_16-12-2014_com_foto.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:4880
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:3592
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:4028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~A5C6.vbs restart
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\~A5C6.vbs" restart
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\SysWOW64\RunLegacyCPLElevated.exe
      "C:\Windows\system32\RunLegacyCPLElevated.exe" shell32.dll,Control_RunDLL )a_eMdlFl+1Dcit(, restart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5112
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL )a_eMdlFl+1Dcit(, restart
        5⤵
        
        PID:3088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~A5C6.vbs

Filesize
198B

MD5
16cd277311b2d3254db599ceb2160fe5

SHA1
ba86d3c2de5661638ddfdad46f725d58ee557b77

SHA256
df0a4b0caf6e1813b398d86c2d21b48132790ac60eee3ce8534ef5329c03506e

SHA512
0deb5669b72d11a443f1790222ecfb8a899d9b755bc70e8285e7968a70479d19ac4cf705c28267a747f8760a86216280ffdb01b41f50fe02a392da84443c2c59

Download Submit
memory/3340-132-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3340-133-0x0000000000510000-0x0000000000513000-memory.dmp

Filesize
12KB

Download
memory/3340-135-0x0000000000510000-0x0000000000513000-memory.dmp

Filesize
12KB

Download
memory/3340-139-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download