5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac

Analysis

max time kernel
123s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe
Size

193KB
MD5

f8e64b6d0eee0b6806984c6452368e97
SHA1

026c28e7cd3fc181520517a40841d0d59926bbcc
SHA256

5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac
SHA512

b60eadfda105343ca9cfa8f424328a06c54257492d6ee74896d923607ba07012e0c9f81a09bfcd6e227fdbb555b111df086d339fc643b3b8ca027d23de48b335
SSDEEP

6144:ULHAjWhKHQjFOlTFYlMCARRTqfbOSL5IXKZV0I:ULHAjWhKHQjFOlTFYlMCARRTqfbOSL5F

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2744	sara.exe
4888	sara.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2744 set thread context of 4888	2744	sara.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4888	sara.exe
4888	sara.exe
4888	sara.exe
4888	sara.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2744	sara.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 2744	4968	5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe	82
PID 4968 wrote to memory of 2744	4968	5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe	82
PID 4968 wrote to memory of 2744	4968	5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe	82
PID 2744 wrote to memory of 4888	2744	sara.exe	83
PID 2744 wrote to memory of 4888	2744	sara.exe	83
PID 2744 wrote to memory of 4888	2744	sara.exe	83
PID 2744 wrote to memory of 4888	2744	sara.exe	83
PID 2744 wrote to memory of 4888	2744	sara.exe	83
PID 2744 wrote to memory of 4888	2744	sara.exe	83
PID 2744 wrote to memory of 4888	2744	sara.exe	83
PID 4888 wrote to memory of 992	4888	sara.exe	73
PID 4888 wrote to memory of 992	4888	sara.exe	73
PID 4888 wrote to memory of 992	4888	sara.exe	73
PID 4888 wrote to memory of 992	4888	sara.exe	73

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:992
- C:\Users\Admin\AppData\Local\Temp\5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe
  "C:\Users\Admin\AppData\Local\Temp\5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\sara.exe
    "C:\Users\Admin\AppData\Local\Temp\sara.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\sara.exe
      C:\Users\Admin\AppData\Local\Temp\sara.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sara.exe

Filesize
172KB

MD5
92afe8826dc2cd04907227deedc06eb9

SHA1
79ceec9a37bd09861a8cd0a460097beb5d987bb5

SHA256
65132313e6fcbd44ae53a3f7b5725bd5736b115b46e2b7785c01b633812fd1ac

SHA512
3dda37e126d5b169b28d855a06aa5bb74f895965e8574a1a6da9d9963eaf16e79d8a2bc8791b2166abd9226c204a29556e958d299c10ef2e6e90f297d3a47c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\sara.exe

Filesize
172KB

MD5
92afe8826dc2cd04907227deedc06eb9

SHA1
79ceec9a37bd09861a8cd0a460097beb5d987bb5

SHA256
65132313e6fcbd44ae53a3f7b5725bd5736b115b46e2b7785c01b633812fd1ac

SHA512
3dda37e126d5b169b28d855a06aa5bb74f895965e8574a1a6da9d9963eaf16e79d8a2bc8791b2166abd9226c204a29556e958d299c10ef2e6e90f297d3a47c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\sara.exe

Filesize
172KB

MD5
92afe8826dc2cd04907227deedc06eb9

SHA1
79ceec9a37bd09861a8cd0a460097beb5d987bb5

SHA256
65132313e6fcbd44ae53a3f7b5725bd5736b115b46e2b7785c01b633812fd1ac

SHA512
3dda37e126d5b169b28d855a06aa5bb74f895965e8574a1a6da9d9963eaf16e79d8a2bc8791b2166abd9226c204a29556e958d299c10ef2e6e90f297d3a47c32

Download Submit
memory/992-142-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/4888-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4888-141-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/4888-143-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download