a0715843584e8a4b7bc41ceeef3591993823a95ba0df45d1963e6fb87ae26dd8

Analysis

max time kernel
151s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0715843584e8a4b7bc41ceeef3591993823a95ba0df45d1963e6fb87ae26dd8.exe
Size

1.0MB
MD5

9a481a2aa3b138706b193f761aec8665
SHA1

1bf7888f9d7327a586373c6b4c44b91c1d955af5
SHA256

a0715843584e8a4b7bc41ceeef3591993823a95ba0df45d1963e6fb87ae26dd8
SHA512

15aacf40091be6d04885f8eaf680aaee9618b1b111077783a1af927c78d0ea50af38886db37f26c8923a1df023156e6b47ebc2d377779cde1a3d0197cc9eb7a8
SSDEEP

12288:8kQ4PIcBqHybSce3dhPq5nd+qsT1Z7LrA2CKw4sU355Rlgmf/rXS+Q/R7pD:85QIzHyuhiDyrPCKH55RTg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1152	QQÁ¬Á¬¿´ÎÞµÐ»úÆ÷ÈË.exe
632	IM_Server.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	a0715843584e8a4b7bc41ceeef3591993823a95ba0df45d1963e6fb87ae26dd8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1152	QQÁ¬Á¬¿´ÎÞµÐ»úÆ÷ÈË.exe
1152	QQÁ¬Á¬¿´ÎÞµÐ»úÆ÷ÈË.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1152	QQÁ¬Á¬¿´ÎÞµÐ»úÆ÷ÈË.exe
1152	QQÁ¬Á¬¿´ÎÞµÐ»úÆ÷ÈË.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1152	QQÁ¬Á¬¿´ÎÞµÐ»úÆ÷ÈË.exe
1152	QQÁ¬Á¬¿´ÎÞµÐ»úÆ÷ÈË.exe
632	IM_Server.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 1152	1876	a0715843584e8a4b7bc41ceeef3591993823a95ba0df45d1963e6fb87ae26dd8.exe	83
PID 1876 wrote to memory of 1152	1876	a0715843584e8a4b7bc41ceeef3591993823a95ba0df45d1963e6fb87ae26dd8.exe	83
PID 1876 wrote to memory of 1152	1876	a0715843584e8a4b7bc41ceeef3591993823a95ba0df45d1963e6fb87ae26dd8.exe	83
PID 1876 wrote to memory of 632	1876	a0715843584e8a4b7bc41ceeef3591993823a95ba0df45d1963e6fb87ae26dd8.exe	84
PID 1876 wrote to memory of 632	1876	a0715843584e8a4b7bc41ceeef3591993823a95ba0df45d1963e6fb87ae26dd8.exe	84
PID 1876 wrote to memory of 632	1876	a0715843584e8a4b7bc41ceeef3591993823a95ba0df45d1963e6fb87ae26dd8.exe	84

C:\Users\Admin\AppData\Local\Temp\a0715843584e8a4b7bc41ceeef3591993823a95ba0df45d1963e6fb87ae26dd8.exe
"C:\Users\Admin\AppData\Local\Temp\a0715843584e8a4b7bc41ceeef3591993823a95ba0df45d1963e6fb87ae26dd8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\QQÁ¬Á¬¿´ÎÞµÐ»úÆ÷ÈË.exe
  "C:\Users\Admin\AppData\Local\Temp\QQÁ¬Á¬¿´ÎÞµÐ»úÆ÷ÈË.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1152
- C:\Users\Admin\AppData\Local\Temp\IM_Server.exe
  "C:\Users\Admin\AppData\Local\Temp\IM_Server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IM_Server.exe

Filesize
156KB

MD5
1f0eb3a06ef4736954193adbfb9eac79

SHA1
3bb08f112ebac8e70121cc4125847805e269ce93

SHA256
2f3381962fcd34ad7f6f142aeffa76e02d68a0d2f9f308ecb760ead9954b1a68

SHA512
8c73f2d6be441bb03cd4c6dcdcc50d7cc04d88db8f163c713cfc540ebe8ac7bc684b17ef17c4a07516ae337322b3abbae8dbcc2a30c5503a9ab6bd6dc398b31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IM_Server.exe

Filesize
156KB

MD5
1f0eb3a06ef4736954193adbfb9eac79

SHA1
3bb08f112ebac8e70121cc4125847805e269ce93

SHA256
2f3381962fcd34ad7f6f142aeffa76e02d68a0d2f9f308ecb760ead9954b1a68

SHA512
8c73f2d6be441bb03cd4c6dcdcc50d7cc04d88db8f163c713cfc540ebe8ac7bc684b17ef17c4a07516ae337322b3abbae8dbcc2a30c5503a9ab6bd6dc398b31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQÁ¬Á¬¿´ÎÞµÐ»úÆ÷ÈË.exe

Filesize
308KB

MD5
3ce3d65329d4d6d916ffd17e5c7541ab

SHA1
dad9d1b452323f212c3e96a6dfc9a15c2d4fbc54

SHA256
a9a09cc390952643dad834ba34d161979f4e0ae9b3a21339a9eb134bf38395b9

SHA512
f506014febf8c9b9101091d96bdd27728c1a3cb0898c9fbb91c68d4c27db7eb728338f6bc63e4d0ab971b1479e82eb36d17a6e5f9a3412e00baf1d22ad7cd8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQÁ¬Á¬¿´ÎÞµÐ»úÆ÷ÈË.exe

Filesize
308KB

MD5
3ce3d65329d4d6d916ffd17e5c7541ab

SHA1
dad9d1b452323f212c3e96a6dfc9a15c2d4fbc54

SHA256
a9a09cc390952643dad834ba34d161979f4e0ae9b3a21339a9eb134bf38395b9

SHA512
f506014febf8c9b9101091d96bdd27728c1a3cb0898c9fbb91c68d4c27db7eb728338f6bc63e4d0ab971b1479e82eb36d17a6e5f9a3412e00baf1d22ad7cd8f5

Download Submit
memory/632-135-0x0000000000000000-mapping.dmp

Download
memory/1152-132-0x0000000000000000-mapping.dmp

Download