9648260ebd6d42670ad21a574f72ba079083356be040ac602b7071c86b170687

Analysis

max time kernel
153s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 19:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9648260ebd6d42670ad21a574f72ba079083356be040ac602b7071c86b170687.exe
Size

12.2MB
MD5

0f545affdee42c330ca5ee4641e63d07
SHA1

ffea3be216fb79232b578400519a9de7e93072ad
SHA256

9648260ebd6d42670ad21a574f72ba079083356be040ac602b7071c86b170687
SHA512

3835cbd2cf30065fe7490cc534bc198f9bb95c477ffd8d6ad75c71a0b4b0629e01ecaa153abe3f6404d1d474de1a8ea2d4b210ca43ed88fb55a35c28cd370367
SSDEEP

196608:NCkADDdvUhbOUJ6jettPnjePhHBL8WLQUfuVECguLiXw5cQnnUHGuSjvpXd0LHz8:NC/DdcjJ6ieZhLTLQUfuVElXOn000LTE

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5008	temp-wmwb.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	9648260ebd6d42670ad21a574f72ba079083356be040ac602b7071c86b170687.exe

Loads dropped DLL 1 IoCs

pid	Process
4288	9648260ebd6d42670ad21a574f72ba079083356be040ac602b7071c86b170687.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 5008	4288	9648260ebd6d42670ad21a574f72ba079083356be040ac602b7071c86b170687.exe	84
PID 4288 wrote to memory of 5008	4288	9648260ebd6d42670ad21a574f72ba079083356be040ac602b7071c86b170687.exe	84
PID 4288 wrote to memory of 5008	4288	9648260ebd6d42670ad21a574f72ba079083356be040ac602b7071c86b170687.exe	84

C:\Users\Admin\AppData\Local\Temp\9648260ebd6d42670ad21a574f72ba079083356be040ac602b7071c86b170687.exe
"C:\Users\Admin\AppData\Local\Temp\9648260ebd6d42670ad21a574f72ba079083356be040ac602b7071c86b170687.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Temp\temp-wmwb.exe
  "C:\Users\Admin\AppData\Local\Temp\temp-wmwb.exe"
  2⤵
  - Executes dropped EXE
  PID:5008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nswFE5C.tmp\Banner.dll

Filesize
4KB

MD5
258dd27107feabb1969908a9387a79d7

SHA1
80f85b610e57d6ab07988cdae60c83300bef6a8f

SHA256
f4fc1344c32ad1c075067c6abfd168a1815dbc6f97103e83e7e8e708230889d2

SHA512
e2df96efab3ea794e75b6a3c9038601c7abd956b41fbbcc4fb60013e0d319d9978f539dc0f944778d05d2e384192d918e06dce8bf76f355d0cbfd142313b9a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp-wmwb.exe

Filesize
1.5MB

MD5
f6252f6e6bb747ad03e75cf346331ce9

SHA1
1ba0654a8b2c1050e921a2632ac6e21022d53f98

SHA256
f30e63449ebc196d02f2daa2f5cd741dcc04ff63dcc4ea5e7cbd4876b98f1fc0

SHA512
251008c90c38b94ab8baba5c0e85e07f20b1792c1bd0564c959a696e3717ab9b9da86960d1ae51b2dcf65b4ef18e76c7b6734a2a53bee2d01f00abf28ca8bc1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp-wmwb.exe

Filesize
1.5MB

MD5
f6252f6e6bb747ad03e75cf346331ce9

SHA1
1ba0654a8b2c1050e921a2632ac6e21022d53f98

SHA256
f30e63449ebc196d02f2daa2f5cd741dcc04ff63dcc4ea5e7cbd4876b98f1fc0

SHA512
251008c90c38b94ab8baba5c0e85e07f20b1792c1bd0564c959a696e3717ab9b9da86960d1ae51b2dcf65b4ef18e76c7b6734a2a53bee2d01f00abf28ca8bc1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmwb.ini

Filesize
63B

MD5
bafcd43e256d330e606152db85ada5b3

SHA1
85f2a3ce96d2643586a67cfdc66245fae445f3ab

SHA256
eec3dfac9e034345792720ddb156dc044db619efeeb33e2bf1a244e493b6a61e

SHA512
51fef029d8dc9c76c61dacbd87faccebb5cc2cb6e48f87284af0f45c30dcce30e8997d2138403e54ac27852b5966c4f2fba6974a1de3a5e31053fe4160c0b98d

Download Submit