2bd843024c373e86260f141d51228c55015aa488ebcd24f0c5ca9636fd9b360c

Analysis

max time kernel
91s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 18:05

Target

sample.exe
Size

337KB
MD5

cd5bc22cd00975467ba470a2aad9e3be
SHA1

c59f130dd579e3f7d31a4d8d0f3fa5f269b332f3
SHA256

06013460d92bfef5f63085d1d10afb87a417678642b199cdae282395d1b09261
SHA512

887e12492751f0bbded9bd665c39a5a28e31d77bc2de0c8ade73b63173352d6e9bc8f9575d966772e39c4b1622aa4d9966e7f873b405eca8f4b2c515ab9b7ac9
SSDEEP

6144:+z+92mhAMJ/cPl3ihLcDkcK7TSH6eby0gePbS1hNPnHt6Q+hTnO3pE:+K2mhAMJ/cPlPgcK6bb6KbCL6phi3C

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

start.exe

pid process

4836 start.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

sample.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation sample.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

start.exe

pid process

4836 start.exe
4836 start.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

start.exe

pid process

4836 start.exe

pid	process
4836	start.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	sample.exe

pid	process
4836	start.exe
4836	start.exe

pid	process
4836	start.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

sample.exe

description	pid	process	target process
PID 2452 wrote to memory of 4836	2452	sample.exe	start.exe
PID 2452 wrote to memory of 4836	2452	sample.exe	start.exe
PID 2452 wrote to memory of 4836	2452	sample.exe	start.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.exe

Filesize
41KB

MD5
2b736720e2c2674b8037a03266574048

SHA1
b0fccf6893442467f1c8a7f05783d1f1ea27fa74

SHA256
27d22e2fb09e101ec13d9dc16bf743d6a49111c3205ea9127d1733696c3afbe1

SHA512
70c6458db107dc7254abc61508f014fe40f11a733d043cc1388113ef2887dcb666656d65a51d61fa65fff25ede393e4a99bf6a9976a895255f5807e57abfad94

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.exe

Filesize
41KB

MD5
2b736720e2c2674b8037a03266574048

SHA1
b0fccf6893442467f1c8a7f05783d1f1ea27fa74

SHA256
27d22e2fb09e101ec13d9dc16bf743d6a49111c3205ea9127d1733696c3afbe1

SHA512
70c6458db107dc7254abc61508f014fe40f11a733d043cc1388113ef2887dcb666656d65a51d61fa65fff25ede393e4a99bf6a9976a895255f5807e57abfad94

Download Submit
memory/4836-132-0x0000000000000000-mapping.dmp

Download