6b200ec2fd8e18a8e9c6aa1c902021040740cda5c8b550897f29201c9102f678

Analysis

max time kernel
185s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 16:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6b200ec2fd8e18a8e9c6aa1c902021040740cda5c8b550897f29201c9102f678.exe
Size

236KB
MD5

0098d1c68120a9dacd6321d6110ea121
SHA1

5a1ad7b57971449e6f6584d2377b1d75b67752c4
SHA256

6b200ec2fd8e18a8e9c6aa1c902021040740cda5c8b550897f29201c9102f678
SHA512

55630a68716d185932cd074c58edb2a1fa42214ccbd2124033f78921230263cddef031551d5e88fb10747c79b0e9dcf37a25630bc4889d1121cf5a822e43002b
SSDEEP

6144:isaocyLCOpUBvyGsGbLVRzwYo+GmgkvNb2PWdcs/v5:itobxj5GvVZwp+vvOUj5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3944	install.exe
996	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	install.exe

Loads dropped DLL 1 IoCs

pid	Process
3352	6b200ec2fd8e18a8e9c6aa1c902021040740cda5c8b550897f29201c9102f678.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	install.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	install.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	install.exe
File created	C:\Windows\assembly\Desktop.ini	install.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	install.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	996	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
996	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
996	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 3944	3352	6b200ec2fd8e18a8e9c6aa1c902021040740cda5c8b550897f29201c9102f678.exe	82
PID 3352 wrote to memory of 3944	3352	6b200ec2fd8e18a8e9c6aa1c902021040740cda5c8b550897f29201c9102f678.exe	82
PID 3944 wrote to memory of 996	3944	install.exe	88
PID 3944 wrote to memory of 996	3944	install.exe	88
PID 3944 wrote to memory of 996	3944	install.exe	88

C:\Users\Admin\AppData\Local\Temp\6b200ec2fd8e18a8e9c6aa1c902021040740cda5c8b550897f29201c9102f678.exe
"C:\Users\Admin\AppData\Local\Temp\6b200ec2fd8e18a8e9c6aa1c902021040740cda5c8b550897f29201c9102f678.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Users\Admin\AppData\Local\Temp\nsk3AD8.tmp\install.exe
  C:\Users\Admin\AppData\Local\Temp\nsk3AD8.tmp\install.exe 4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f /e6032197 /dT131881106S /t
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Users\Admin\AppData\Local\Temp\nsk3AD8.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
    "C:\Users\Admin\AppData\Local\Temp\nsk3AD8.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe" /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f /e6032197 /dT131881106S /t
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
1KB

MD5
3e1c67c01655dfb58651e58837eb910d

SHA1
3b0a527046b5c13df725e9515f4248e6dbd1e5d1

SHA256
828d874ad567b0713b029403828ef22f5bfd39dafab8e61a1b24caad8be769b0

SHA512
47794d05dbccb4c06b5dd60782ebee03c993c94b2af6a77a4a32a1cf8173d1351274582dd606c15fcc8909377c706c49e1f07a394272d26c40097df14f734c23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
412B

MD5
8fbd150245cbd4afa3e00edbf9417005

SHA1
5d1b4aaf26f2baff88dc0f34413ff6a90524f45f

SHA256
5a25967995419cabca0e99e471b4d8baf703261855d471d153a6fa1d8fc59138

SHA512
f170cddc8ba92de071239b9f5c3fd972a369e07296e3bf8aa0a52570d4ad9f858e9ba4cf59c0ffa433bcf588c2357b1de96a075f8947e86c4f61d6c507998f19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
404B

MD5
51dd726303a669452cafb7457af186bf

SHA1
968fcfbd43a3041f5503c7f6f38897eea109be38

SHA256
4a7fe0e909c9faa94435284334073bfa246635db92b98b6aa0004a551bbb77f4

SHA512
6580fb8344a2ff01d4e619f505ff921d1c180b8195e161898921ca17c450298fa5108ef714c21819621085121d5e5df43e03ef107aa75fddb10555fcf53b28c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk3AD8.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Filesize
248KB

MD5
22be5edcbe2fd71af6d4a98529a58d88

SHA1
974d22883901d75a407c46282ef75acb0187cb21

SHA256
c4cfe2563b9681d78283c124f49d0a627be62bd040cabeb94bfeaab2b6733e35

SHA512
3d3e9ba2aa4f0b67faa052d304b4186bafe539f6ae88efa38a745246e47a351607a968f8af96fc8b8d78e4cc85dcfd28f009aad47608f855588fd7530910a624

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk3AD8.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Filesize
248KB

MD5
22be5edcbe2fd71af6d4a98529a58d88

SHA1
974d22883901d75a407c46282ef75acb0187cb21

SHA256
c4cfe2563b9681d78283c124f49d0a627be62bd040cabeb94bfeaab2b6733e35

SHA512
3d3e9ba2aa4f0b67faa052d304b4186bafe539f6ae88efa38a745246e47a351607a968f8af96fc8b8d78e4cc85dcfd28f009aad47608f855588fd7530910a624

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk3AD8.tmp\install.exe

Filesize
186KB

MD5
6952e7f408e985dd1a7123105e80d11e

SHA1
f9d5e415463bbfbbe6820e9da4deead31d0e9db0

SHA256
0112b9c0972f296a938111dc5f96c4bf6063257271cb69176d229cd551b13295

SHA512
e3fc516d8ef5a633535d1973891866bebb92e8556a5742cca220d16c5350312a44ad74b6f98f63f34cae94faa6a7d1841d7b0f33090d7577d7bb117ebdd0b615

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk3AD8.tmp\install.exe

Filesize
186KB

MD5
6952e7f408e985dd1a7123105e80d11e

SHA1
f9d5e415463bbfbbe6820e9da4deead31d0e9db0

SHA256
0112b9c0972f296a938111dc5f96c4bf6063257271cb69176d229cd551b13295

SHA512
e3fc516d8ef5a633535d1973891866bebb92e8556a5742cca220d16c5350312a44ad74b6f98f63f34cae94faa6a7d1841d7b0f33090d7577d7bb117ebdd0b615

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk3AD8.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/996-142-0x0000000074600000-0x0000000074BB1000-memory.dmp

Filesize
5.7MB

Download
memory/3944-136-0x000000001BD10000-0x000000001C746000-memory.dmp

Filesize
10.2MB

Download