0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d

Analysis

max time kernel
122s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d.exe
Size

1.5MB
MD5

5c7f0056223c7ea15e33015c2e8d03b9
SHA1

1c59ee747c47601f898265fd1936a591b7859b97
SHA256

0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d
SHA512

9ab22b48c2c8680b62ecc23307501288f5b6eddc488ff348f53a240e9829cab1b3b0a0c463c43857064028eed47d677429a172aee22458f02168ae4fc801e5e8
SSDEEP

24576:VJr8tEZgHqPxDQ6mJ4knfK+SnI9rTkp68olJxoXubBolvJKokXmdQbjI99DKdA:VJ4oPK6mtnCzIVTkQ8gJBbBG4lXI9Me

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d.exe

Loads dropped DLL 2 IoCs

pid	Process
1604	regsvr32.exe
1604	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1604	1944	0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d.exe	82
PID 1944 wrote to memory of 1604	1944	0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d.exe	82
PID 1944 wrote to memory of 1604	1944	0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d.exe	82

C:\Users\Admin\AppData\Local\Temp\0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d.exe
"C:\Users\Admin\AppData\Local\Temp\0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -U .\p6MkCCb5.hP /S
  2⤵
  - Loads dropped DLL
  PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\p6MkCCb5.hP

Filesize
2.7MB

MD5
499d8083cd1ec07d5f9a4a692223bc51

SHA1
afdcba7842d8194928c2bdfb945f5ad7d8226212

SHA256
89aea267d342284b8bbbd67ec8c16b95f60e5122627f07184b9291946ece1f50

SHA512
fa24f4647a1011862c8198d4b6a5c73abb739656d5ae3a0fb068717370ec564f32cb2aa6bb304bc81589a26cc149cb2f887481dc36ad074896d0f6799f086a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\p6mkCCb5.hP

Filesize
2.7MB

MD5
499d8083cd1ec07d5f9a4a692223bc51

SHA1
afdcba7842d8194928c2bdfb945f5ad7d8226212

SHA256
89aea267d342284b8bbbd67ec8c16b95f60e5122627f07184b9291946ece1f50

SHA512
fa24f4647a1011862c8198d4b6a5c73abb739656d5ae3a0fb068717370ec564f32cb2aa6bb304bc81589a26cc149cb2f887481dc36ad074896d0f6799f086a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\p6mkCCb5.hP

Filesize
2.7MB

MD5
499d8083cd1ec07d5f9a4a692223bc51

SHA1
afdcba7842d8194928c2bdfb945f5ad7d8226212

SHA256
89aea267d342284b8bbbd67ec8c16b95f60e5122627f07184b9291946ece1f50

SHA512
fa24f4647a1011862c8198d4b6a5c73abb739656d5ae3a0fb068717370ec564f32cb2aa6bb304bc81589a26cc149cb2f887481dc36ad074896d0f6799f086a2c

Download Submit
memory/1604-136-0x00000000022A0000-0x0000000002555000-memory.dmp

Filesize
2.7MB

Download
memory/1604-137-0x0000000002C10000-0x0000000002E74000-memory.dmp

Filesize
2.4MB

Download
memory/1604-138-0x0000000002F90000-0x000000000309C000-memory.dmp

Filesize
1.0MB

Download
memory/1604-139-0x00000000030A0000-0x0000000003175000-memory.dmp

Filesize
852KB

Download
memory/1604-140-0x0000000003180000-0x000000000323F000-memory.dmp

Filesize
764KB

Download
memory/1604-141-0x0000000003180000-0x000000000323F000-memory.dmp

Filesize
764KB

Download
memory/1604-143-0x0000000002F90000-0x000000000309C000-memory.dmp

Filesize
1.0MB

Download