c1605b75473b8bf01afdaf8ae04b35d14dad33f5bb8c0bf982b7f2099ec7a3fa

Analysis

max time kernel
340s
max time network
434s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1605b75473b8bf01afdaf8ae04b35d14dad33f5bb8c0bf982b7f2099ec7a3fa.exe
Size

3.0MB
MD5

92a7572bf627b774ced84481ffe8e7f8
SHA1

fe804d8db8325b5d05d636f0eaf3c1f0d418e5fe
SHA256

c1605b75473b8bf01afdaf8ae04b35d14dad33f5bb8c0bf982b7f2099ec7a3fa
SHA512

0a589fb99b9d2a897447bd4b6f95ac88cfae153dea95980c340fb1e198329e791c54e4d28d1b6e82a8bc4364a9d4c4411b67cf9cc4da1ae613cbfc33c34a7cba
SSDEEP

49152:b1dlZovzmzgFdIwrMCSiFhZ5OAnnU3YIABCgjhZJUUsJVKkQ4Aya5ZNaZHhtp8in:b1dl27SgFdEchjlUoBZjhZJUUsyko381

Score

8^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
332	FLash player.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	c1605b75473b8bf01afdaf8ae04b35d14dad33f5bb8c0bf982b7f2099ec7a3fa.exe

Loads dropped DLL 2 IoCs

pid	Process
332	FLash player.exe
332	FLash player.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FLash player.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
332	FLash player.exe
332	FLash player.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 332	3028	c1605b75473b8bf01afdaf8ae04b35d14dad33f5bb8c0bf982b7f2099ec7a3fa.exe	82
PID 3028 wrote to memory of 332	3028	c1605b75473b8bf01afdaf8ae04b35d14dad33f5bb8c0bf982b7f2099ec7a3fa.exe	82
PID 3028 wrote to memory of 332	3028	c1605b75473b8bf01afdaf8ae04b35d14dad33f5bb8c0bf982b7f2099ec7a3fa.exe	82

C:\Users\Admin\AppData\Local\Temp\c1605b75473b8bf01afdaf8ae04b35d14dad33f5bb8c0bf982b7f2099ec7a3fa.exe
"C:\Users\Admin\AppData\Local\Temp\c1605b75473b8bf01afdaf8ae04b35d14dad33f5bb8c0bf982b7f2099ec7a3fa.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Extracted\FLash player.exe
  "C:\Extracted\FLash player.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\FLash player.exe

Filesize
2.7MB

MD5
e867710538c1ad48e8245870442b66a4

SHA1
decf2866fb56b42b6a61749a60da3b8805390f2f

SHA256
379d862541849a61aa6264c1852a17859d049c569dffe2791522c9b14c6b188b

SHA512
12371d20deabd2d764a58c81fd264d2f2104a9a966342f1835d369e2e395116e4d71ec0468bc3c4eba20d3328429e2372bba9c7a6e473ef91f11a2b1d651b26e

Download Submit
C:\Extracted\FLash player.exe

Filesize
2.7MB

MD5
e867710538c1ad48e8245870442b66a4

SHA1
decf2866fb56b42b6a61749a60da3b8805390f2f

SHA256
379d862541849a61aa6264c1852a17859d049c569dffe2791522c9b14c6b188b

SHA512
12371d20deabd2d764a58c81fd264d2f2104a9a966342f1835d369e2e395116e4d71ec0468bc3c4eba20d3328429e2372bba9c7a6e473ef91f11a2b1d651b26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE0F.tmp

Filesize
304KB

MD5
a685099306fba154c00f46dbf16dcd6a

SHA1
dd28430b9b205afa553982276f3414b05b96baff

SHA256
cdeeb9407b501a45f7da20b05a28e1a05c11a4111fd227623d89023d5f236fa6

SHA512
61b81149480932d6cd8677d1fa6a6732b73fda74c1aa045d470fb66533c7950b66a25697b6df03c030126f8b2177ad7b6d5ee49073e2ab29a75936025bb7ae05

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2F2.tmp

Filesize
229KB

MD5
685cb0023423d963fa467bc89cffd27d

SHA1
c0d440f569a46a517edce7fce7aa396e246c5c16

SHA256
55082d6b1aaf2c4f9510b86873c4d022a3420f94a81ac704f18f71d1a66e72ea

SHA512
a988ad12a55fdb09f4a7433fc4b228925c97e5d5ae658feaceaa64e83d41c4e60573337a25790ac50fa2940a43ef825ee30441324f01641f7f094ea4e41b243c

Download Submit
memory/332-132-0x0000000000000000-mapping.dmp

Download