966000e41f00314cfa343c1451a2fe748a19e8bf6b59bf6653678f806d21ef9a

Analysis

max time kernel
181s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

966000e41f00314cfa343c1451a2fe748a19e8bf6b59bf6653678f806d21ef9a.exe
Size

200KB
MD5

89b47751e7f4a983af2e4840a06e6ff6
SHA1

b1971174c7eef1b79cb819299ba09421e18ce7ec
SHA256

966000e41f00314cfa343c1451a2fe748a19e8bf6b59bf6653678f806d21ef9a
SHA512

75b9799030acb912af40a74f2653145d61ad433976489a95bb045375ac16689a4b8b4e6be0c7798830249796c5a5ece197dca6b1dbc88238d2daa33cdcc78740
SSDEEP

3072:WwxVMhOC/dTDbq91+mno3t4QZQ3rAHZZhLTvV0b0QqWUblK6aTqbfLIJeG:WTfFDbRnOTrA53ryg5U68M8j

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2268	install.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	966000e41f00314cfa343c1451a2fe748a19e8bf6b59bf6653678f806d21ef9a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4040	2268	WerFault.exe	85

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 2268	5024	966000e41f00314cfa343c1451a2fe748a19e8bf6b59bf6653678f806d21ef9a.exe	85
PID 5024 wrote to memory of 2268	5024	966000e41f00314cfa343c1451a2fe748a19e8bf6b59bf6653678f806d21ef9a.exe	85
PID 5024 wrote to memory of 2268	5024	966000e41f00314cfa343c1451a2fe748a19e8bf6b59bf6653678f806d21ef9a.exe	85

C:\Users\Admin\AppData\Local\Temp\966000e41f00314cfa343c1451a2fe748a19e8bf6b59bf6653678f806d21ef9a.exe
"C:\Users\Admin\AppData\Local\Temp\966000e41f00314cfa343c1451a2fe748a19e8bf6b59bf6653678f806d21ef9a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe"
  2⤵
  - Executes dropped EXE
  PID:2268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 228
    3⤵
    - Program crash
    PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2268 -ip 2268
1⤵
PID:2840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
287KB

MD5
f217825b5235a9d67646f2ef41e9e68c

SHA1
4346d9c76b7d74f1c9b33064020b26824d460517

SHA256
59f9947d630dd0dc8dea74b3497cb2362121676cbeb8a3125aaceb987cbdebc0

SHA512
eb4498d4460ad6679dda8737fe8447ae87dfb076f985ea3e6efdc247f61e5695b68420e1beec7bd69920aec40010ddafb23f7b32b984fab42f484784e28c8aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
287KB

MD5
f217825b5235a9d67646f2ef41e9e68c

SHA1
4346d9c76b7d74f1c9b33064020b26824d460517

SHA256
59f9947d630dd0dc8dea74b3497cb2362121676cbeb8a3125aaceb987cbdebc0

SHA512
eb4498d4460ad6679dda8737fe8447ae87dfb076f985ea3e6efdc247f61e5695b68420e1beec7bd69920aec40010ddafb23f7b32b984fab42f484784e28c8aef

Download Submit
memory/2268-132-0x0000000000000000-mapping.dmp

Download