97f6f977d52149fc1f2bcfa965df424fcab834d81107dc05e21515e2f1cd6d54

Analysis

max time kernel
188s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 04:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

97f6f977d52149fc1f2bcfa965df424fcab834d81107dc05e21515e2f1cd6d54.exe
Size

196KB
MD5

3e821556e1fa5dccaff93efd8471e185
SHA1

e0d9c604f8279adb79cbcd3489f2d6aef23fd498
SHA256

97f6f977d52149fc1f2bcfa965df424fcab834d81107dc05e21515e2f1cd6d54
SHA512

16f21eeadbb9f454f92c845120a10e8c1e7775e51330b42a998d52d1b42e2976e142ee03921401a0cc63c430ef90d42af9d3f4cf08e8c2cd678b1a06cfd265ce
SSDEEP

3072:VcQ/XXYK5+FLiKjnoUtjICsLgysqCO1e9n88gfZigOfYPAdu2:LHYK5+5Vkgyiye9nOxiBf2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3068	CMFQJNDNBYQ.exe
4496	CMFQJNDNBYQ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	97f6f977d52149fc1f2bcfa965df424fcab834d81107dc05e21515e2f1cd6d54.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 4496	3068	CMFQJNDNBYQ.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4496	CMFQJNDNBYQ.exe
4496	CMFQJNDNBYQ.exe
4496	CMFQJNDNBYQ.exe
4496	CMFQJNDNBYQ.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 3068	2080	97f6f977d52149fc1f2bcfa965df424fcab834d81107dc05e21515e2f1cd6d54.exe	83
PID 2080 wrote to memory of 3068	2080	97f6f977d52149fc1f2bcfa965df424fcab834d81107dc05e21515e2f1cd6d54.exe	83
PID 2080 wrote to memory of 3068	2080	97f6f977d52149fc1f2bcfa965df424fcab834d81107dc05e21515e2f1cd6d54.exe	83
PID 3068 wrote to memory of 4496	3068	CMFQJNDNBYQ.exe	84
PID 3068 wrote to memory of 4496	3068	CMFQJNDNBYQ.exe	84
PID 3068 wrote to memory of 4496	3068	CMFQJNDNBYQ.exe	84
PID 3068 wrote to memory of 4496	3068	CMFQJNDNBYQ.exe	84
PID 3068 wrote to memory of 4496	3068	CMFQJNDNBYQ.exe	84
PID 3068 wrote to memory of 4496	3068	CMFQJNDNBYQ.exe	84
PID 4496 wrote to memory of 388	4496	CMFQJNDNBYQ.exe	61
PID 4496 wrote to memory of 388	4496	CMFQJNDNBYQ.exe	61
PID 4496 wrote to memory of 388	4496	CMFQJNDNBYQ.exe	61
PID 4496 wrote to memory of 388	4496	CMFQJNDNBYQ.exe	61

C:\Users\Admin\AppData\Local\Temp\97f6f977d52149fc1f2bcfa965df424fcab834d81107dc05e21515e2f1cd6d54.exe
"C:\Users\Admin\AppData\Local\Temp\97f6f977d52149fc1f2bcfa965df424fcab834d81107dc05e21515e2f1cd6d54.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\CMFQJNDNBYQ.exe
  "C:\Users\Admin\AppData\Local\Temp\CMFQJNDNBYQ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\CMFQJNDNBYQ.exe
    ºC:\Users\Admin\AppData\Local\Temp\CMFQJNDNBYQ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CMFQJNDNBYQ.exe

Filesize
64KB

MD5
bdf72078af58391be59d0f2ad2777171

SHA1
592f8f958199ec62dc456a202596c3ca2ddb3405

SHA256
9e78ed8bbfadef8dc1afe7ec8c29e524aa1b4100be7bc8d879629cecca743a77

SHA512
fe941078d9967db063644c7225e7bac0ebb7484a863ea51042e7d1254cb0db4397fa4afb83472f2b3b6ffaf0a82f38d668da147e5b41b42adfa3525bf0dd5cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMFQJNDNBYQ.exe

Filesize
64KB

MD5
bdf72078af58391be59d0f2ad2777171

SHA1
592f8f958199ec62dc456a202596c3ca2ddb3405

SHA256
9e78ed8bbfadef8dc1afe7ec8c29e524aa1b4100be7bc8d879629cecca743a77

SHA512
fe941078d9967db063644c7225e7bac0ebb7484a863ea51042e7d1254cb0db4397fa4afb83472f2b3b6ffaf0a82f38d668da147e5b41b42adfa3525bf0dd5cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMFQJNDNBYQ.exe

Filesize
64KB

MD5
bdf72078af58391be59d0f2ad2777171

SHA1
592f8f958199ec62dc456a202596c3ca2ddb3405

SHA256
9e78ed8bbfadef8dc1afe7ec8c29e524aa1b4100be7bc8d879629cecca743a77

SHA512
fe941078d9967db063644c7225e7bac0ebb7484a863ea51042e7d1254cb0db4397fa4afb83472f2b3b6ffaf0a82f38d668da147e5b41b42adfa3525bf0dd5cc1

Download Submit
memory/388-141-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2080-132-0x000000001AFD0000-0x000000001BA06000-memory.dmp

Filesize
10.2MB

Download
memory/4496-137-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4496-140-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4496-142-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4496-143-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download