26b901af4a32869ffd1f452209d30df09a94e7b1257a64bffc8773cc593b152e

Analysis

max time kernel
206s
max time network
225s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26b901af4a32869ffd1f452209d30df09a94e7b1257a64bffc8773cc593b152e.exe
Size

23.9MB
MD5

0f8ce01c3d656eb1c2566d3946110f2c
SHA1

7796339886d72f98cb474d8db7c44d44d0af7c26
SHA256

26b901af4a32869ffd1f452209d30df09a94e7b1257a64bffc8773cc593b152e
SHA512

17179c2559ac75b0cb935ad4981d0df6b941df59eadb1a58d3295e7c82cded72d28e3fbd1fbad9bdb0424e9a21d4abcf370a6a578a3346c9fe6e7a7a562deddb
SSDEEP

393216:tLRu3MWcRpBZTzdqinyQ75wvdQWA0OiaR3C8dZYhrTFw3WAP/GhP6VOOSP2o95dc:EMWcRp/fdqotHfZbpdZ+TF/AP/uP2OW7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
388	temp-360yunpan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	26b901af4a32869ffd1f452209d30df09a94e7b1257a64bffc8773cc593b152e.exe

Loads dropped DLL 1 IoCs

pid	Process
3700	26b901af4a32869ffd1f452209d30df09a94e7b1257a64bffc8773cc593b152e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 388	3700	26b901af4a32869ffd1f452209d30df09a94e7b1257a64bffc8773cc593b152e.exe	83
PID 3700 wrote to memory of 388	3700	26b901af4a32869ffd1f452209d30df09a94e7b1257a64bffc8773cc593b152e.exe	83
PID 3700 wrote to memory of 388	3700	26b901af4a32869ffd1f452209d30df09a94e7b1257a64bffc8773cc593b152e.exe	83

C:\Users\Admin\AppData\Local\Temp\26b901af4a32869ffd1f452209d30df09a94e7b1257a64bffc8773cc593b152e.exe
"C:\Users\Admin\AppData\Local\Temp\26b901af4a32869ffd1f452209d30df09a94e7b1257a64bffc8773cc593b152e.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Users\Admin\AppData\Local\Temp\temp-360yunpan.exe
  "C:\Users\Admin\AppData\Local\Temp\temp-360yunpan.exe"
  2⤵
  - Executes dropped EXE
  PID:388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\360yunpan.ini

Filesize
59B

MD5
8df6fd4e0033cc9accc82e73f345201e

SHA1
9877dbabf3cd0c84c22f8f3d1fe8d752d84cde1b

SHA256
e03f8faeba5b3b06b65aa358451b5f492be0d900a5c8bad83a296c5c284ecc76

SHA512
416369e1243e6d4bba36817d66280e5f9cdc79de13b3e8e34e5fea1f741cdc53b1f0e281c57030c1ac7a4f5943b4d312ee8625968edd0f3fc254c13cf0f3b778

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB586.tmp\Banner.dll

Filesize
4KB

MD5
91c9ee5005ac6cb4ec79a3b039b4c8df

SHA1
95a9c018b501b6697beca846a33955909c3f97be

SHA256
05838c8f81efbb98679010158f29cefd88a34fb1fe5d603e839dd406235ddf29

SHA512
41cc45a64fbe64cd83e704e87193004245f5d29f4f880921d041e5f2ceec86ca0653146e6477642eba73875b9d5f0d773b540436b19e4797def9c15d7618474b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp-360yunpan.exe

Filesize
1.5MB

MD5
f583904636db39940e522a84d5ce9e48

SHA1
ecf75c9f107a080c2ee42c2d6849198fd204b5a3

SHA256
d3d847dac04e882f6260d53b68436247ca383bca10cac08c4e349d7d3786ac5d

SHA512
4484164fe386c9e1558fd14a7a02cf1f4ec7e50ae550b0005d6844287e2f45fdb5a9af4b626523b5bba1924aa6efb66d043f122ac0b383947ddfffc1e69c1e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp-360yunpan.exe

Filesize
1.5MB

MD5
f583904636db39940e522a84d5ce9e48

SHA1
ecf75c9f107a080c2ee42c2d6849198fd204b5a3

SHA256
d3d847dac04e882f6260d53b68436247ca383bca10cac08c4e349d7d3786ac5d

SHA512
4484164fe386c9e1558fd14a7a02cf1f4ec7e50ae550b0005d6844287e2f45fdb5a9af4b626523b5bba1924aa6efb66d043f122ac0b383947ddfffc1e69c1e1a

Download Submit
memory/388-133-0x0000000000000000-mapping.dmp

Download