937b3cd21531e297f1f248cea23f79916b93b7d782fa01d46354108fef693614

Analysis

max time kernel
206s
max time network
223s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 09:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

937b3cd21531e297f1f248cea23f79916b93b7d782fa01d46354108fef693614.exe
Size

725KB
MD5

08065db79b7a88aad40425384ebec6e7
SHA1

72a1e055a27242e29bb33fbeda88de4b6654f845
SHA256

937b3cd21531e297f1f248cea23f79916b93b7d782fa01d46354108fef693614
SHA512

a15c723d00f26594728f1fd246f685e75f1d8ce2731c1099a8e777a08a6aa3a9120bdac4baae35bb008c39e71383eb3a63100847b486b8a1fddbe4b9654aec82
SSDEEP

12288:DrBUs/omQeiizTxuNJrz+YD5NyFawlb89s4glRYEjpLjRMMVRMMfRMMuRMMolauJ:DUezPAXrz+YDOFhb89klFLjRMMVRMMfV

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IME_JPUpdate1.3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\937b3cd21531e297f1f248cea23f79916b93b7d782fa01d46354108fef693614.bat\""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 5092	4944	937b3cd21531e297f1f248cea23f79916b93b7d782fa01d46354108fef693614.exe	78
PID 4944 wrote to memory of 5092	4944	937b3cd21531e297f1f248cea23f79916b93b7d782fa01d46354108fef693614.exe	78
PID 4944 wrote to memory of 5092	4944	937b3cd21531e297f1f248cea23f79916b93b7d782fa01d46354108fef693614.exe	78

C:\Users\Admin\AppData\Local\Temp\937b3cd21531e297f1f248cea23f79916b93b7d782fa01d46354108fef693614.exe
"C:\Users\Admin\AppData\Local\Temp\937b3cd21531e297f1f248cea23f79916b93b7d782fa01d46354108fef693614.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v IME_JPUpdate1.3 /d "\"C:\Users\Admin\AppData\Local\Temp\937b3cd21531e297f1f248cea23f79916b93b7d782fa01d46354108fef693614.bat\"" /f
  2⤵
  - Adds Run key to start application
  PID:5092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads