5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79

Analysis

max time kernel
186s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe
Size

1.6MB
MD5

cea8150c6576c02e33c82d63243d01ad
SHA1

ffa03b93910d1babe2bf5bfe4bdb6a8207f557e2
SHA256

5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79
SHA512

85f21a31ec95d2361fd88291209ace2823661978840f759b5066d888d2e5e0962876c81c009b86adae129a12d84949a3c9235f841bdbf2b0ba56953ebc55c80d
SSDEEP

49152:lwf0GoyZCnbZQQEjyzCGJeYuRwf0GoyZCnbZQQEjyzCGJeYu:ldyiaQEjyzCGJe9dyiaQEjyzCGJe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3116	1.exe
5072	2.exe
2056	mu3mp3.exe
4976	mu3mp3.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 3116	4688	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	80
PID 4688 wrote to memory of 3116	4688	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	80
PID 4688 wrote to memory of 3116	4688	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	80
PID 4688 wrote to memory of 5072	4688	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	81
PID 4688 wrote to memory of 5072	4688	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	81
PID 4688 wrote to memory of 5072	4688	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	81
PID 3116 wrote to memory of 2056	3116	1.exe	83
PID 3116 wrote to memory of 2056	3116	1.exe	83
PID 5072 wrote to memory of 4976	5072	2.exe	82
PID 5072 wrote to memory of 4976	5072	2.exe	82

C:\Users\Admin\AppData\Local\Temp\5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe
"C:\Users\Admin\AppData\Local\Temp\5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe"
    3⤵
    - Executes dropped EXE
    PID:2056
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe"
    3⤵
    - Executes dropped EXE
    PID:4976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\mu3mp3.exe.log

Filesize
128B

MD5
3d238ac6dd6710907edf2ad7893a0ed2

SHA1
b07aaeeb31bdc6e94097a254be088b092dc1fb68

SHA256
02d215d5b6ea166e6c4c4669547cbadecbb427d5baf394fbffc7ef374a967501

SHA512
c358aa68303aa99ebc019014b4c1fc2fbfa98733f1ea863bf78ca2b877dc5c610121115432d96504df9e43bdda637b067359b07228b6f129bc5ec9a01ed3ee24

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
803KB

MD5
7f5662e95a76a6322035c977d60b4522

SHA1
e908a374531d0406cf105e13319b8c158ca313e3

SHA256
e8db2ee256413e4aa5e28e0c423ea740e61337c34cf04b97faad8373fd2984bf

SHA512
e3724318995a5d4f5357425f7ed5973a052e87388be1bccb18a3515f2f2db73d8303db57bba967893d7745e34550cb63544542a787a662ecb29a222b534c3109

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
803KB

MD5
7f5662e95a76a6322035c977d60b4522

SHA1
e908a374531d0406cf105e13319b8c158ca313e3

SHA256
e8db2ee256413e4aa5e28e0c423ea740e61337c34cf04b97faad8373fd2984bf

SHA512
e3724318995a5d4f5357425f7ed5973a052e87388be1bccb18a3515f2f2db73d8303db57bba967893d7745e34550cb63544542a787a662ecb29a222b534c3109

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.mp3

Filesize
310KB

MD5
a4050415cbebf666ace2888318aa2cdb

SHA1
796f5548129aab3e08d81a3ffff2c20fb1be1279

SHA256
853190a99672a24dfea2ecace4cb2a61eec940687df30bacbf18211a4d69374a

SHA512
fe943455be13368026c161a48b867c01e08cf11f63945c7452d9be9192940476759c9a3e2906cf311b39494115785ff2d6e0c4e9d9c8604cb6664390ea14f472

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
803KB

MD5
7f5662e95a76a6322035c977d60b4522

SHA1
e908a374531d0406cf105e13319b8c158ca313e3

SHA256
e8db2ee256413e4aa5e28e0c423ea740e61337c34cf04b97faad8373fd2984bf

SHA512
e3724318995a5d4f5357425f7ed5973a052e87388be1bccb18a3515f2f2db73d8303db57bba967893d7745e34550cb63544542a787a662ecb29a222b534c3109

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
803KB

MD5
7f5662e95a76a6322035c977d60b4522

SHA1
e908a374531d0406cf105e13319b8c158ca313e3

SHA256
e8db2ee256413e4aa5e28e0c423ea740e61337c34cf04b97faad8373fd2984bf

SHA512
e3724318995a5d4f5357425f7ed5973a052e87388be1bccb18a3515f2f2db73d8303db57bba967893d7745e34550cb63544542a787a662ecb29a222b534c3109

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fiche-identite-oeuvre.pdf

Filesize
7KB

MD5
988b2a07ae9d11d94dfde2425866c5b4

SHA1
53a7c3aafc268b2636341a7a7503191b791f0b73

SHA256
383fd78bf9d06cb56ddb361f45cf53a25e81e974f4153f2f6b07c59b89c8c0ea

SHA512
3340271202f8ec5729ea807b53c85707edfb87f89ff8200d9395cdf0069be5120a92fbd3042d4f81bc1de0020be50fc19c80efd4a3100baac014a1b96b26bb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fiche-identite-oeuvre.pdf

Filesize
7KB

MD5
988b2a07ae9d11d94dfde2425866c5b4

SHA1
53a7c3aafc268b2636341a7a7503191b791f0b73

SHA256
383fd78bf9d06cb56ddb361f45cf53a25e81e974f4153f2f6b07c59b89c8c0ea

SHA512
3340271202f8ec5729ea807b53c85707edfb87f89ff8200d9395cdf0069be5120a92fbd3042d4f81bc1de0020be50fc19c80efd4a3100baac014a1b96b26bb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe

Filesize
760KB

MD5
74d66d33299c3f35ba744b9b3edfbb71

SHA1
b94dffabcc8fe5da66684f9687a91059e317abd0

SHA256
c27c9ab9eba79a81c6c27e761f665ddfc615a13ce2c43521f0faf09c2c06a435

SHA512
e2a65f1f63338b27f0d803cc49240663be149b32ed20e02df2f2263764cb40098341aa662545d38e5269de30aaceafb0e50242d6d8792cedc062f1eb8d693d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe

Filesize
760KB

MD5
4d1d5659b867fab1ff1d07f4177857e5

SHA1
b5e6759c49ecdc2b788d86b917ab0b59dd9c4a1f

SHA256
5bfe77cb3f023c7a8e77a5cfb7571131552f443dab345d4c5fafe0c369b0d10f

SHA512
f032d510e6ad327bf45dedb10e6b6023c9a2911112e8eb95b9c6b45e424ca7e9b86791edd1b83f544995cd7eee729d8c1a9bee8a743c70cebc8e12b9e644707b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe

Filesize
760KB

MD5
4d1d5659b867fab1ff1d07f4177857e5

SHA1
b5e6759c49ecdc2b788d86b917ab0b59dd9c4a1f

SHA256
5bfe77cb3f023c7a8e77a5cfb7571131552f443dab345d4c5fafe0c369b0d10f

SHA512
f032d510e6ad327bf45dedb10e6b6023c9a2911112e8eb95b9c6b45e424ca7e9b86791edd1b83f544995cd7eee729d8c1a9bee8a743c70cebc8e12b9e644707b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe

Filesize
760KB

MD5
4d1d5659b867fab1ff1d07f4177857e5

SHA1
b5e6759c49ecdc2b788d86b917ab0b59dd9c4a1f

SHA256
5bfe77cb3f023c7a8e77a5cfb7571131552f443dab345d4c5fafe0c369b0d10f

SHA512
f032d510e6ad327bf45dedb10e6b6023c9a2911112e8eb95b9c6b45e424ca7e9b86791edd1b83f544995cd7eee729d8c1a9bee8a743c70cebc8e12b9e644707b

Download Submit
memory/2056-146-0x00007FFC5FD50000-0x00007FFC60786000-memory.dmp

Filesize
10.2MB

Download
memory/4688-132-0x00007FFC5FD50000-0x00007FFC60786000-memory.dmp

Filesize
10.2MB

Download
memory/4976-147-0x00007FFC5FD50000-0x00007FFC60786000-memory.dmp

Filesize
10.2MB

Download