28d7b6b6276c62ea27e0bec08d9c097c26c14a960d08318daac0a156cf6a8f16

Analysis

max time kernel
91s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
17/12/2022, 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28d7b6b6276c62ea27e0bec08d9c097c26c14a960d08318daac0a156cf6a8f16.exe
Size

1.6MB
MD5

6b3030ad5bc688a9a59364df9a89fb5c
SHA1

ef5d3966b96eb2683ea51ecc7e6a02df97bf81db
SHA256

28d7b6b6276c62ea27e0bec08d9c097c26c14a960d08318daac0a156cf6a8f16
SHA512

37c85078fd6934936b18a8a772bb92b49ef780ee7f03835afcf33decba7372977e03b2390f27f516f2e298f3115edd6a8395e8cc6308c3bd4f9ee4d59bbf2055
SSDEEP

24576:5HLmCiIhiXl9XpzvQqHcJJSpvCTxja8UEZero+AbIYU/XPEuCXYwABdcM35a79cK:qvXpF8fivWZe6cjvPE98dt3c790Jw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	28d7b6b6276c62ea27e0bec08d9c097c26c14a960d08318daac0a156cf6a8f16.exe

Loads dropped DLL 1 IoCs

pid	Process
2560	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 2560	3448	28d7b6b6276c62ea27e0bec08d9c097c26c14a960d08318daac0a156cf6a8f16.exe	80
PID 3448 wrote to memory of 2560	3448	28d7b6b6276c62ea27e0bec08d9c097c26c14a960d08318daac0a156cf6a8f16.exe	80
PID 3448 wrote to memory of 2560	3448	28d7b6b6276c62ea27e0bec08d9c097c26c14a960d08318daac0a156cf6a8f16.exe	80

C:\Users\Admin\AppData\Local\Temp\28d7b6b6276c62ea27e0bec08d9c097c26c14a960d08318daac0a156cf6a8f16.exe
"C:\Users\Admin\AppData\Local\Temp\28d7b6b6276c62ea27e0bec08d9c097c26c14a960d08318daac0a156cf6a8f16.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -u /S 99SLGJF9.uI
  2⤵
  - Loads dropped DLL
  PID:2560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99SLGJF9.uI

Filesize
1.2MB

MD5
2752909157ac082228a0dc5e5c915615

SHA1
5ba0b3aa11951912d2eaab7c411c9fc999e45768

SHA256
270ac65723270f021dbe842fe3747019e56e62214a953b6a030ecaae13f39be3

SHA512
191b39b5ee89d4170745e670b12fb9ca6aef884a182d150fa50896978d3210136eebd77a0497cc52a20659f33b205a1aa977248d776bf2fb7dc9332ec57f447b

Download Submit
C:\Users\Admin\AppData\Local\Temp\99sLGJF9.uI

Filesize
1.2MB

MD5
2752909157ac082228a0dc5e5c915615

SHA1
5ba0b3aa11951912d2eaab7c411c9fc999e45768

SHA256
270ac65723270f021dbe842fe3747019e56e62214a953b6a030ecaae13f39be3

SHA512
191b39b5ee89d4170745e670b12fb9ca6aef884a182d150fa50896978d3210136eebd77a0497cc52a20659f33b205a1aa977248d776bf2fb7dc9332ec57f447b

Download Submit
memory/2560-135-0x0000000002A30000-0x0000000002B42000-memory.dmp

Filesize
1.1MB

Download
memory/2560-136-0x0000000002C60000-0x0000000002D6E000-memory.dmp

Filesize
1.1MB

Download
memory/2560-137-0x0000000002D70000-0x0000000002E47000-memory.dmp

Filesize
860KB

Download
memory/2560-138-0x0000000002E50000-0x0000000002F12000-memory.dmp

Filesize
776KB

Download
memory/2560-141-0x0000000002C60000-0x0000000002D6E000-memory.dmp

Filesize
1.1MB

Download