a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59

Analysis

max time kernel
164s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe
Size

245KB
MD5

a3becd0d67e4de477bf1a0ba9600e5f4
SHA1

a06dc2589c61b02de99ec5123a44031ad67a06ee
SHA256

a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59
SHA512

bb44001293736c57624eed9a80e7d65f98a105639733836467dd82d7fec90f706090b8b631da33b58149ab45c1272cc69d3a6dca9ae87e6f8daae327c5a63a39
SSDEEP

6144:MvbP36OAaAQal+Dmn3cpSE6cr5FnBkU5ZR2:gr3v/ralsG3C66qUzR2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1844	a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2220	1844	a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe	82
PID 1844 wrote to memory of 2220	1844	a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe	82
PID 1844 wrote to memory of 2220	1844	a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe	82

C:\Users\Admin\AppData\Local\Temp\a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe
"C:\Users\Admin\AppData\Local\Temp\a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c move "~@fs851aa623" "C:\Users\Admin\AppData\Local\Temp\a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe" > nul
  2⤵
  PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~@fs851aa623

Filesize
245KB

MD5
002aade33665e46b9d70db444f388f7b

SHA1
3a9e8d95e95442f9dfd4a8fa514d8ccd254c7f53

SHA256
17a5cbaa94aa3c40f82ff2dbe5d2f5ec590afac7e39ecbea0f563b77b5eddfbd

SHA512
a032a9c03595cd6a65ff0f099e50a3bdba8eccdadcd547e87de6228d53e2f53696597113716cb4a7c0c843fb2e0941c62b2398bab991402bdf70656bb7718e8a

Download Submit
memory/2220-132-0x0000000000000000-mapping.dmp

Download