9154296ca4602461533debcd6538fa30f07a4fa5f33c5cb8b22e1f909cf639c7

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9154296ca4602461533debcd6538fa30f07a4fa5f33c5cb8b22e1f909cf639c7.exe
Size

25KB
MD5

128e4d1a1d1436628442e8443321d356
SHA1

a10e6982cb39d7cbd854b22911bb3cf2101f3ced
SHA256

9154296ca4602461533debcd6538fa30f07a4fa5f33c5cb8b22e1f909cf639c7
SHA512

ab22f892ed38db4cf04e098826b3dd81f3782fc2265b3fe56f5fb1d0c518336ece3370d4ccba98e4fe41de923ccdd81bc0e8d50ad1167c9c2f4eef5deff03bec
SSDEEP

384:p7shenvU5s+k2abxKHBRZkZTz5QGieSGe3LG/efo7rc0RZqV:1shyMa2abxKHBRZkZxlDhey+ofzEV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3912	pro.2009.v1.exe
3804	pro.2009.v1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	9154296ca4602461533debcd6538fa30f07a4fa5f33c5cb8b22e1f909cf639c7.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pro.2009.v1.exe	9154296ca4602461533debcd6538fa30f07a4fa5f33c5cb8b22e1f909cf639c7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3848	3804	WerFault.exe	88

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2496	9154296ca4602461533debcd6538fa30f07a4fa5f33c5cb8b22e1f909cf639c7.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 3912	2496	9154296ca4602461533debcd6538fa30f07a4fa5f33c5cb8b22e1f909cf639c7.exe	87
PID 2496 wrote to memory of 3912	2496	9154296ca4602461533debcd6538fa30f07a4fa5f33c5cb8b22e1f909cf639c7.exe	87
PID 2496 wrote to memory of 3912	2496	9154296ca4602461533debcd6538fa30f07a4fa5f33c5cb8b22e1f909cf639c7.exe	87
PID 3912 wrote to memory of 3804	3912	pro.2009.v1.exe	88
PID 3912 wrote to memory of 3804	3912	pro.2009.v1.exe	88
PID 3912 wrote to memory of 3804	3912	pro.2009.v1.exe	88

C:\Users\Admin\AppData\Local\Temp\9154296ca4602461533debcd6538fa30f07a4fa5f33c5cb8b22e1f909cf639c7.exe
"C:\Users\Admin\AppData\Local\Temp\9154296ca4602461533debcd6538fa30f07a4fa5f33c5cb8b22e1f909cf639c7.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\pro.2009.v1.exe
  "C:\Windows\pro.2009.v1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\pro.2009.v1.exe
    StubPath
    3⤵
    - Executes dropped EXE
    PID:3804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 460
      4⤵
      Program crash
      PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3804 -ip 3804
1⤵
PID:3720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\pro.2009.v1.exe

Filesize
13KB

MD5
71cfb606974c31aa83876c9ec4a0b4bf

SHA1
4d7aea6d1af1ebe7b15540916ff13b403df8fcd4

SHA256
0642e8e4300fe259617d562844deb8ba58e750fcc6d5a7b2fe40c259e3bf235a

SHA512
9cde23dac5c3be807d8599fbcdb9cfeaf424589907d83fa13248be4c31329c797aac6aede7c87a782b761d8693d131ef18ba773949e1fccde35961ca3e2b30d8

Download Submit
C:\Windows\pro.2009.v1.exe

Filesize
13KB

MD5
71cfb606974c31aa83876c9ec4a0b4bf

SHA1
4d7aea6d1af1ebe7b15540916ff13b403df8fcd4

SHA256
0642e8e4300fe259617d562844deb8ba58e750fcc6d5a7b2fe40c259e3bf235a

SHA512
9cde23dac5c3be807d8599fbcdb9cfeaf424589907d83fa13248be4c31329c797aac6aede7c87a782b761d8693d131ef18ba773949e1fccde35961ca3e2b30d8

Download Submit
C:\Windows\pro.2009.v1.exe

Filesize
13KB

MD5
71cfb606974c31aa83876c9ec4a0b4bf

SHA1
4d7aea6d1af1ebe7b15540916ff13b403df8fcd4

SHA256
0642e8e4300fe259617d562844deb8ba58e750fcc6d5a7b2fe40c259e3bf235a

SHA512
9cde23dac5c3be807d8599fbcdb9cfeaf424589907d83fa13248be4c31329c797aac6aede7c87a782b761d8693d131ef18ba773949e1fccde35961ca3e2b30d8

Download Submit