741d73c62d4aa3c66de5ff6b8330e437dc9bfa977362c8b2cf385fc0d5ea03f7

Analysis

max time kernel
153s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 01:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

741d73c62d4aa3c66de5ff6b8330e437dc9bfa977362c8b2cf385fc0d5ea03f7.exe
Size

694KB
MD5

ba813e6f3d090150bf60095200205bec
SHA1

04124bce32562b2689273bd2828278a6f19ef6ca
SHA256

741d73c62d4aa3c66de5ff6b8330e437dc9bfa977362c8b2cf385fc0d5ea03f7
SHA512

2de5b02479faba7145f743ae0204f2befafe90cdef73fd8a7987da0f6af4f5614dad6c2417843cacb51afa650aa71eaae8598ae6878098cc8ede2ae6143c357f
SSDEEP

12288:cRWNcr8oxncyxmrRIcB2ug81N5rom7OCUAxOpiYN8TBO/H2hNV5BRjgrVLwFZNfZ:3NBIcemrRErKN5rJ7Oi9h9uMryVwpUe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4204	amdcc.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	741d73c62d4aa3c66de5ff6b8330e437dc9bfa977362c8b2cf385fc0d5ea03f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 3 IoCs

pid	Process
4204	amdcc.exe
4204	amdcc.exe
4204	amdcc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	741d73c62d4aa3c66de5ff6b8330e437dc9bfa977362c8b2cf385fc0d5ea03f7.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1256	2200	741d73c62d4aa3c66de5ff6b8330e437dc9bfa977362c8b2cf385fc0d5ea03f7.exe	81
PID 2200 wrote to memory of 1256	2200	741d73c62d4aa3c66de5ff6b8330e437dc9bfa977362c8b2cf385fc0d5ea03f7.exe	81
PID 2200 wrote to memory of 1256	2200	741d73c62d4aa3c66de5ff6b8330e437dc9bfa977362c8b2cf385fc0d5ea03f7.exe	81
PID 1256 wrote to memory of 4204	1256	WScript.exe	82
PID 1256 wrote to memory of 4204	1256	WScript.exe	82

C:\Users\Admin\AppData\Local\Temp\741d73c62d4aa3c66de5ff6b8330e437dc9bfa977362c8b2cf385fc0d5ea03f7.exe
"C:\Users\Admin\AppData\Local\Temp\741d73c62d4aa3c66de5ff6b8330e437dc9bfa977362c8b2cf385fc0d5ea03f7.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\amdcc.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\amdcc.exe" -u hessu.me1 -p x -t 0 -a 3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\amdcc.exe

Filesize
347KB

MD5
86be9d169cb8b5aca1f499774a8dce64

SHA1
bdd9a575b244b77b3b954c73a38ccb3dcb4a1482

SHA256
c657324324e3552574067261ca3e8bff4df7557d1cfdd8b1232c58387115c609

SHA512
2e9b38aed78a1e1e84a64e6a4d3b71df9c314790988eecbe89291e0e0e8494b61c9d3592256c33c89edc10387d704cfbe4b14a62095134ccdfc23b40dd8653ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\amdcc.exe

Filesize
347KB

MD5
86be9d169cb8b5aca1f499774a8dce64

SHA1
bdd9a575b244b77b3b954c73a38ccb3dcb4a1482

SHA256
c657324324e3552574067261ca3e8bff4df7557d1cfdd8b1232c58387115c609

SHA512
2e9b38aed78a1e1e84a64e6a4d3b71df9c314790988eecbe89291e0e0e8494b61c9d3592256c33c89edc10387d704cfbe4b14a62095134ccdfc23b40dd8653ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\libgcc_s_seh-1.dll

Filesize
73KB

MD5
6f2ca7591805d1324496933ef9cbe619

SHA1
b915cc38832c950b48297909f9618efd4bd70418

SHA256
ddfa8fc469531401dae5ffeeb0fd368739e068ce4b2be6fccb583bfe27f29ad7

SHA512
e99b7e18648d94632c1c9e0f9d15222e94b4ef8d6fc64a597f5e82c09842c0e2703383e1d6a450efbf58f09ef0f3522b5bb12690492fbe186a201c041eac1d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\libgcc_s_seh-1.dll

Filesize
73KB

MD5
6f2ca7591805d1324496933ef9cbe619

SHA1
b915cc38832c950b48297909f9618efd4bd70418

SHA256
ddfa8fc469531401dae5ffeeb0fd368739e068ce4b2be6fccb583bfe27f29ad7

SHA512
e99b7e18648d94632c1c9e0f9d15222e94b4ef8d6fc64a597f5e82c09842c0e2703383e1d6a450efbf58f09ef0f3522b5bb12690492fbe186a201c041eac1d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\libstdc++-6.dll

Filesize
905KB

MD5
9927cc6b9a587f02c0cca2eb05f40d42

SHA1
d575f8f2871ca533021c1ff273ef837a65b2c111

SHA256
f3bd46a6927dd8dd3a622f60891f55646a9fc44c85cdb9d67bfea681d75abe50

SHA512
e4f3d5c59f6f53474bf79be95556171f0736f886500f4581e6639d7797e06b5006c577170c59fa0e4d29ddfccc7e56203436040a8be736bd3671914834213c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\libstdc++-6.dll

Filesize
905KB

MD5
9927cc6b9a587f02c0cca2eb05f40d42

SHA1
d575f8f2871ca533021c1ff273ef837a65b2c111

SHA256
f3bd46a6927dd8dd3a622f60891f55646a9fc44c85cdb9d67bfea681d75abe50

SHA512
e4f3d5c59f6f53474bf79be95556171f0736f886500f4581e6639d7797e06b5006c577170c59fa0e4d29ddfccc7e56203436040a8be736bd3671914834213c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\libwinpthread-1.dll

Filesize
298KB

MD5
bb0019619d0e3b013018ba6cbfb6185f

SHA1
c23b023ac220283b81d98bbdf5ada3e40ab20e60

SHA256
4dd3c7262580fb8a03813c249b643d81dd0e5b90e883102a33a5a1d62500132e

SHA512
9b2731e63d50b78bf27b680f3ef33b85e68659dadaf9734ccbeb9297370c323e39d13a5b794b705a892203064dad156f6471612cb40415d6d7701347641db0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\libwinpthread-1.dll

Filesize
298KB

MD5
bb0019619d0e3b013018ba6cbfb6185f

SHA1
c23b023ac220283b81d98bbdf5ada3e40ab20e60

SHA256
4dd3c7262580fb8a03813c249b643d81dd0e5b90e883102a33a5a1d62500132e

SHA512
9b2731e63d50b78bf27b680f3ef33b85e68659dadaf9734ccbeb9297370c323e39d13a5b794b705a892203064dad156f6471612cb40415d6d7701347641db0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs

Filesize
76B

MD5
266d9f4e6b5c84e3b4d0f2fa90bc2323

SHA1
bd772181aaf407726c96235ce2b7f83b0c0cc734

SHA256
1d81136392ba2eb30bd4ffb0ae2611104a3d2443864b990195b6dadd611856e9

SHA512
07e1a6d8744bf4b0e339f993ff91a3186bc816c9ffaad3d8af9134509c24197d91da4521a994b77b623c70ae699408d7420337b0619c5d73aff183e35fc6a130

Download Submit