afcce4a5e267b30ac77172e2aaf53d1137e08aeca0e91db697c6299c64e71734

Analysis

max time kernel
142s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afcce4a5e267b30ac77172e2aaf53d1137e08aeca0e91db697c6299c64e71734.exe
Size

126KB
MD5

a3f801a47cf233092211ed1b58d9a4ff
SHA1

e7e08b8af0ea72ce3bdc998cb731552bd2ad3f2e
SHA256

afcce4a5e267b30ac77172e2aaf53d1137e08aeca0e91db697c6299c64e71734
SHA512

134f7b81be95060fcccd47c1713ab623234f5e88a870f582206f8b91d697fb6addd4b796a2981bd072c9a70abd9fee65f735c69bf7757566a029d18fd45b0822
SSDEEP

3072:vcINEMu9CzG7jb+Wd0W/FpcBLQYUGEL5ai8avu:e/yGD+1upcBLQBvKavu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1708	tmp.exe
2548	m1qkvo.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2548	m1qkvo.exe
2548	m1qkvo.exe
2548	m1qkvo.exe
2548	m1qkvo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4316	afcce4a5e267b30ac77172e2aaf53d1137e08aeca0e91db697c6299c64e71734.exe
1708	tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 1708	4316	afcce4a5e267b30ac77172e2aaf53d1137e08aeca0e91db697c6299c64e71734.exe	84
PID 4316 wrote to memory of 1708	4316	afcce4a5e267b30ac77172e2aaf53d1137e08aeca0e91db697c6299c64e71734.exe	84
PID 4316 wrote to memory of 1708	4316	afcce4a5e267b30ac77172e2aaf53d1137e08aeca0e91db697c6299c64e71734.exe	84
PID 1708 wrote to memory of 2548	1708	tmp.exe	85
PID 1708 wrote to memory of 2548	1708	tmp.exe	85
PID 1708 wrote to memory of 2548	1708	tmp.exe	85
PID 2548 wrote to memory of 2532	2548	m1qkvo.exe	48
PID 2548 wrote to memory of 2532	2548	m1qkvo.exe	48
PID 2548 wrote to memory of 2532	2548	m1qkvo.exe	48
PID 2548 wrote to memory of 2532	2548	m1qkvo.exe	48
PID 2548 wrote to memory of 2532	2548	m1qkvo.exe	48
PID 2548 wrote to memory of 2532	2548	m1qkvo.exe	48

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2532
- C:\Users\Admin\AppData\Local\Temp\afcce4a5e267b30ac77172e2aaf53d1137e08aeca0e91db697c6299c64e71734.exe
  "C:\Users\Admin\AppData\Local\Temp\afcce4a5e267b30ac77172e2aaf53d1137e08aeca0e91db697c6299c64e71734.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    C:\Users\Admin\AppData\Local\Temp\tmp.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\m1qkvo.exe
      "C:\Users\Admin\AppData\Local\Temp\m1qkvo.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\m1qkvo.exe

Filesize
28KB

MD5
5ff945b7c967abc083d085a0743d3270

SHA1
d671c06ab991b5d15070649209eb34b47815ac8c

SHA256
8bb27aeace7c22fd489209637accf0574081287a31d42ed7bfcb31f23c9f3261

SHA512
50c4dc2ec37d6abe2ada2eea3fd8948f2407e8dfbcc5c146f396d04c6841e14fa4b89449e6e62c5a8b3b8a2a45f49b85fb7c780323190cbba36bcd1be28eb63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1qkvo.exe

Filesize
28KB

MD5
5ff945b7c967abc083d085a0743d3270

SHA1
d671c06ab991b5d15070649209eb34b47815ac8c

SHA256
8bb27aeace7c22fd489209637accf0574081287a31d42ed7bfcb31f23c9f3261

SHA512
50c4dc2ec37d6abe2ada2eea3fd8948f2407e8dfbcc5c146f396d04c6841e14fa4b89449e6e62c5a8b3b8a2a45f49b85fb7c780323190cbba36bcd1be28eb63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
44KB

MD5
634250169d4a267ff85c73f942018162

SHA1
57760a6e14956de1d8c8c7f5d6177377e4b2f870

SHA256
a2a837b2f98c97756ce403cd4de6901bfec428c3c11f00e5f3b50e1700562a7b

SHA512
87d52aa800c63b4b8d1b502f0dc7f5140343872e941a57ac3a9464b11a8798cdee42fb54d0687ba43b813d624b88281fc825621bf97b3d32a76726790d5ffbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
44KB

MD5
634250169d4a267ff85c73f942018162

SHA1
57760a6e14956de1d8c8c7f5d6177377e4b2f870

SHA256
a2a837b2f98c97756ce403cd4de6901bfec428c3c11f00e5f3b50e1700562a7b

SHA512
87d52aa800c63b4b8d1b502f0dc7f5140343872e941a57ac3a9464b11a8798cdee42fb54d0687ba43b813d624b88281fc825621bf97b3d32a76726790d5ffbff

Download Submit
memory/2532-144-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download
memory/2548-145-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2548-146-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/4316-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download