bd5d46eae9820b98d9b83bf819a18f9ccc5a35c6f4abaf1310ca6a2ca7486c75

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 01:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bd5d46eae9820b98d9b83bf819a18f9ccc5a35c6f4abaf1310ca6a2ca7486c75.exe
Size

51KB
MD5

30b275ca07116b0ad7fa981d66433c4e
SHA1

b481ea3c07f9bdf935d418359eb3273add80457f
SHA256

bd5d46eae9820b98d9b83bf819a18f9ccc5a35c6f4abaf1310ca6a2ca7486c75
SHA512

619391f62c3450e5d1fe62f12f8e17f101f1ce281325ab5b5b932c2ab4d9f188658d0fc01f148fc78906f2f09d72ce146c32a46f986570319bc9d31bc6060d06
SSDEEP

768:+852xLmAQZ3KbcX3Ctp9xTMtzosri6en4JNCvNdoK86fH4InGXmrXjIx:+852xp+8HjYJNCboKxfYNQI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	bd5d46eae9820b98d9b83bf819a18f9ccc5a35c6f4abaf1310ca6a2ca7486c75.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91B1E846-2BEF-4345-8848-7699C7C9935F}	bd5d46eae9820b98d9b83bf819a18f9ccc5a35c6f4abaf1310ca6a2ca7486c75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91B1E846-2BEF-4345-8848-7699C7C9935F}\	bd5d46eae9820b98d9b83bf819a18f9ccc5a35c6f4abaf1310ca6a2ca7486c75.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91B1E846-2BEF-4345-8848-7699C7C9935F}\InProcServer32	bd5d46eae9820b98d9b83bf819a18f9ccc5a35c6f4abaf1310ca6a2ca7486c75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91B1E846-2BEF-4345-8848-7699C7C9935F}\InProcServer32\ = "C:\\Windows\\SysWow64\\SysYH.vxd"	bd5d46eae9820b98d9b83bf819a18f9ccc5a35c6f4abaf1310ca6a2ca7486c75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91B1E846-2BEF-4345-8848-7699C7C9935F}\InProcServer32\ThreadingModel = "Apartment"	bd5d46eae9820b98d9b83bf819a18f9ccc5a35c6f4abaf1310ca6a2ca7486c75.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 4328	4932	bd5d46eae9820b98d9b83bf819a18f9ccc5a35c6f4abaf1310ca6a2ca7486c75.exe	85
PID 4932 wrote to memory of 4328	4932	bd5d46eae9820b98d9b83bf819a18f9ccc5a35c6f4abaf1310ca6a2ca7486c75.exe	85
PID 4932 wrote to memory of 4328	4932	bd5d46eae9820b98d9b83bf819a18f9ccc5a35c6f4abaf1310ca6a2ca7486c75.exe	85

C:\Users\Admin\AppData\Local\Temp\bd5d46eae9820b98d9b83bf819a18f9ccc5a35c6f4abaf1310ca6a2ca7486c75.exe
"C:\Users\Admin\AppData\Local\Temp\bd5d46eae9820b98d9b83bf819a18f9ccc5a35c6f4abaf1310ca6a2ca7486c75.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_xr.bat" "
  2⤵
  PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_xr.bat

Filesize
248B

MD5
b4d6fdf66ab48ea46303b8a9901458f2

SHA1
c30b3f6df31bd564b9421719987580df87f27081

SHA256
036fdeba0d68ad5b3d23d6b93c3a104899a15d80cf2b2cfd76c2e7aa878eed53

SHA512
9f3ba8ee600e48e85c06bff632fc641e9b84d82c0b67e164ba5d04961ee35da1480d6ecf31b851ba973088ae1ab73c4714308116de457d3e72bcb5645b8a6536

Download Submit
memory/4932-132-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4932-134-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download