0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df

Analysis

max time kernel
254s
max time network
245s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df.exe
Size

248KB
MD5

8432935b64ef23c0c07720f1142ffd93
SHA1

1f22b05be3855a7a66cf59cc2958277a2a23f925
SHA256

0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df
SHA512

feb256e675739097f5cca45524159b0b16294d885a0fc56cb8385bd3540ed58060396eb3b39e0761a4a80faddcfa97afd386ea8a08957d2ecdd5d845c1c2f2ec
SSDEEP

3072:4k2t7jYmwrtGHESwzd5XmXm1656cKWK1mrFlao6Tw2C6NHZtl4o3nb9Bb1qle/jQ:mtnKGkaXC6563WKsvlawX6RZ1BDiEC

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

google.exe

pid process

2956 google.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

432 netsh.exe

pid	process
2956	google.exe

pid	process
432	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df.exe

Drops startup file 2 IoCs

Processes:

google.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\760a31a51389e6dce4ab8e433bd27602.exe	google.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\760a31a51389e6dce4ab8e433bd27602.exe	google.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

google.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\760a31a51389e6dce4ab8e433bd27602 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\google.exe\" .."	google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\760a31a51389e6dce4ab8e433bd27602 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\google.exe\" .."	google.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df.exegoogle.exe

description	pid	process	target process
PID 2608 wrote to memory of 2956	2608	0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df.exe	google.exe
PID 2608 wrote to memory of 2956	2608	0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df.exe	google.exe
PID 2956 wrote to memory of 432	2956	google.exe	netsh.exe
PID 2956 wrote to memory of 432	2956	google.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df.exe
"C:\Users\Admin\AppData\Local\Temp\0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2608

C:\Users\Admin\AppData\Local\Temp\google.exe
"C:\Users\Admin\AppData\Local\Temp\google.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\google.exe" "google.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\google.exe
Filesize
248KB

MD5
8432935b64ef23c0c07720f1142ffd93

SHA1
1f22b05be3855a7a66cf59cc2958277a2a23f925

SHA256
0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df

SHA512
feb256e675739097f5cca45524159b0b16294d885a0fc56cb8385bd3540ed58060396eb3b39e0761a4a80faddcfa97afd386ea8a08957d2ecdd5d845c1c2f2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\google.exe
Filesize
248KB

MD5
8432935b64ef23c0c07720f1142ffd93

SHA1
1f22b05be3855a7a66cf59cc2958277a2a23f925

SHA256
0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df

SHA512
feb256e675739097f5cca45524159b0b16294d885a0fc56cb8385bd3540ed58060396eb3b39e0761a4a80faddcfa97afd386ea8a08957d2ecdd5d845c1c2f2ec

Download Submit
memory/432-141-0x0000000000000000-mapping.dmp

Download
memory/2608-132-0x0000000000B90000-0x0000000000BD4000-memory.dmp

Filesize
272KB

Download
memory/2608-133-0x00007FFAFB0B0000-0x00007FFAFBB71000-memory.dmp

Filesize
10.8MB

Download
memory/2608-134-0x00007FFAFB0B0000-0x00007FFAFBB71000-memory.dmp

Filesize
10.8MB

Download
memory/2608-139-0x00007FFAFB0B0000-0x00007FFAFBB71000-memory.dmp

Filesize
10.8MB

Download
memory/2956-135-0x0000000000000000-mapping.dmp

Download
memory/2956-138-0x00007FFAFB0B0000-0x00007FFAFBB71000-memory.dmp

Filesize
10.8MB

Download
memory/2956-140-0x00007FFAFB0B0000-0x00007FFAFBB71000-memory.dmp

Filesize
10.8MB

Download