649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b

Analysis

max time kernel
159s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe
Size

179KB
MD5

8155b71a2e4562b5e682d22f0010bd24
SHA1

6a9bc4ae28b678ec766ccc6e1e80bd8e0216f3f5
SHA256

649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b
SHA512

8966917fa4607935d370704ecab41461615239258419891ae70de086956f86fda693f9070e09da25cff110e51e75806ff92c943c914839f885fe168c4929a65a
SSDEEP

3072:X875giexVu7fhrnv6MJQPRu2uuQ6ET31Ap0A+GpMWLHJiFp3:slPex8VuMepBLRLpiz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe

Loads dropped DLL 1 IoCs

pid	Process
3040	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 3232	3108	649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe	80
PID 3108 wrote to memory of 3232	3108	649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe	80
PID 3108 wrote to memory of 3232	3108	649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe	80
PID 3232 wrote to memory of 3040	3232	cmd.exe	82
PID 3232 wrote to memory of 3040	3232	cmd.exe	82
PID 3232 wrote to memory of 3040	3232	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe
"C:\Users\Admin\AppData\Local\Temp\649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\regsvr32.exe /s "C:\ProgramData\3482\lmbd.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\ProgramData\3482\lmbd.dll"
    3⤵
    - Loads dropped DLL
    PID:3040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\3482\lmbd.dll

Filesize
92KB

MD5
7cb12175da81309e26bb86cd25c49540

SHA1
86b7de2a4a84b82ef19e0626b34edda01e46c93d

SHA256
3c3c6e8eaccf40b723d6225fdfb58a29e42c8071406bf70ef427c59fae21ea85

SHA512
22172711f774a1163e6b25d6c229b925f87d088c0cb494b0c827bd4c6e0d153352048739a2254ce0ea364f45c74710da13a53fa256992feb1f31861bdc8d4631

Download Submit
C:\ProgramData\3482\lmbd.dll

Filesize
92KB

MD5
7cb12175da81309e26bb86cd25c49540

SHA1
86b7de2a4a84b82ef19e0626b34edda01e46c93d

SHA256
3c3c6e8eaccf40b723d6225fdfb58a29e42c8071406bf70ef427c59fae21ea85

SHA512
22172711f774a1163e6b25d6c229b925f87d088c0cb494b0c827bd4c6e0d153352048739a2254ce0ea364f45c74710da13a53fa256992feb1f31861bdc8d4631

Download Submit
memory/3040-149-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/3040-148-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/3040-147-0x0000000000C10000-0x0000000000C27000-memory.dmp

Filesize
92KB

Download
memory/3040-146-0x0000000000C10000-0x0000000000C27000-memory.dmp

Filesize
92KB

Download
memory/3108-140-0x0000000000520000-0x0000000000540000-memory.dmp

Filesize
128KB

Download
memory/3108-132-0x0000000000BC0000-0x0000000000BF3000-memory.dmp

Filesize
204KB

Download
memory/3108-139-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3108-138-0x0000000000BC0000-0x0000000000BF3000-memory.dmp

Filesize
204KB

Download
memory/3108-144-0x0000000000710000-0x0000000000727000-memory.dmp

Filesize
92KB

Download
memory/3108-145-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/3108-136-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/3108-135-0x0000000000710000-0x0000000000727000-memory.dmp

Filesize
92KB

Download
memory/3108-134-0x0000000000520000-0x0000000000540000-memory.dmp

Filesize
128KB

Download
memory/3108-133-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download