d7ce1acb5a45d6e08d0c9cce182d084347f95bfc640c3feb1beb6698822d0666

Analysis

max time kernel
184s
max time network
232s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7ce1acb5a45d6e08d0c9cce182d084347f95bfc640c3feb1beb6698822d0666.exe
Size

150KB
MD5

1f7e1cff070dde46f57bdd3eb14d5f53
SHA1

51b66922851561b994e27bc4a48d139938e3aa33
SHA256

d7ce1acb5a45d6e08d0c9cce182d084347f95bfc640c3feb1beb6698822d0666
SHA512

695f5608067707ed3dd5b0f0e81b2eb05ad6856d46e804f7d50f7e24cb6d9e733f9198b5c910e94993c7c30974accd6f5f854380e639bb6c2a7e98afbb2a3226
SSDEEP

3072:mlollZEpI52d/pKHdR7a+Q389jDU5X2OfklU6:mlollWpi2d/QHdRSTe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1552	MicroS0FT.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	d7ce1acb5a45d6e08d0c9cce182d084347f95bfc640c3feb1beb6698822d0666.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kill.bat	MicroS0FT.exe
File created	C:\Windows\SysWOW64\system_ylmy.exe	MicroS0FT.exe
File opened for modification	C:\Windows\SysWOW64\system_ylmy.exe	MicroS0FT.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\MicroS0FT.exe	d7ce1acb5a45d6e08d0c9cce182d084347f95bfc640c3feb1beb6698822d0666.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3564	d7ce1acb5a45d6e08d0c9cce182d084347f95bfc640c3feb1beb6698822d0666.exe
3564	d7ce1acb5a45d6e08d0c9cce182d084347f95bfc640c3feb1beb6698822d0666.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1552	MicroS0FT.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 1552	3564	d7ce1acb5a45d6e08d0c9cce182d084347f95bfc640c3feb1beb6698822d0666.exe	85
PID 3564 wrote to memory of 1552	3564	d7ce1acb5a45d6e08d0c9cce182d084347f95bfc640c3feb1beb6698822d0666.exe	85
PID 3564 wrote to memory of 1552	3564	d7ce1acb5a45d6e08d0c9cce182d084347f95bfc640c3feb1beb6698822d0666.exe	85
PID 1552 wrote to memory of 4788	1552	MicroS0FT.exe	86
PID 1552 wrote to memory of 4788	1552	MicroS0FT.exe	86
PID 1552 wrote to memory of 4788	1552	MicroS0FT.exe	86

C:\Users\Admin\AppData\Local\Temp\d7ce1acb5a45d6e08d0c9cce182d084347f95bfc640c3feb1beb6698822d0666.exe
"C:\Users\Admin\AppData\Local\Temp\d7ce1acb5a45d6e08d0c9cce182d084347f95bfc640c3feb1beb6698822d0666.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\MicroS0FT.exe
  "C:\Windows\MicroS0FT.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\kill.bat""
    3⤵
    PID:4788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MicroS0FT.exe

Filesize
104KB

MD5
677b0452bcce150ff7a141bc4b14de64

SHA1
487d8bce795b27715c38f26b439868bfef8178b1

SHA256
df98cb1b2ae15b3b9c563f654f8ee0031be8f5e31e5e083e117b81be0f79e846

SHA512
89c8ae5faa9a6a6fa58ab14edaad0a4e34ae10c0d032e939bf0cfe672f28d5ea95dcc0e6dbd7a07ba0650a52e3312a9feb74cff7042060cb1ecc9c10e1ebc355

Download Submit
C:\Windows\MicroS0FT.exe

Filesize
104KB

MD5
677b0452bcce150ff7a141bc4b14de64

SHA1
487d8bce795b27715c38f26b439868bfef8178b1

SHA256
df98cb1b2ae15b3b9c563f654f8ee0031be8f5e31e5e083e117b81be0f79e846

SHA512
89c8ae5faa9a6a6fa58ab14edaad0a4e34ae10c0d032e939bf0cfe672f28d5ea95dcc0e6dbd7a07ba0650a52e3312a9feb74cff7042060cb1ecc9c10e1ebc355

Download Submit
C:\Windows\SysWOW64\kill.bat

Filesize
76B

MD5
89167d6d87c61492684384027e42b499

SHA1
506f388e534a30145cbfd01c1084d3cdffb0c669

SHA256
d961f25d139da5312f59c689406f1fe0e359185b4215e730ba91f53dda9723d8

SHA512
5cdb6a033c45edfbb3faf8fe2b73e43fb70c6fd14f29f2a175e32dbff0cc2b7a6e2167274b1a1fd3313e60382959ba719aa0ba9f0c88e567068e8a43b6d93493

Download Submit