9231913f4042fd60123db9aec9777b5417119648ebb217b0ee3f4890f76fff0f

Analysis

max time kernel
91s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2022 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9231913f4042fd60123db9aec9777b5417119648ebb217b0ee3f4890f76fff0f.exe
Size

1.6MB
MD5

4eb35177f787f5f9e08e20110614c820
SHA1

18959743d17357ba3e52de0ee6077aa5de0eca0a
SHA256

9231913f4042fd60123db9aec9777b5417119648ebb217b0ee3f4890f76fff0f
SHA512

6e8c99c130a39dc693107dcbd80ad99d611d0c161765ec60f1ad54ac25e0bf0266ddf57c47347f0565e2c1f0f9ed3a296fe9ba5e8e1c266875b7487d10da81de
SSDEEP

24576:pLlgAi5bcP5ePPluEKs9kIRoB1Pz/WGgU/ujPVN2hcnjfto+7RRyc:pyC5ePtfjkXB1Pjh8rqhVg3j

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9231913f4042fd60123db9aec9777b5417119648ebb217b0ee3f4890f76fff0f.exe

Loads dropped DLL 2 IoCs

pid	Process
4392	rundll32.exe
1828	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4404	1404	9231913f4042fd60123db9aec9777b5417119648ebb217b0ee3f4890f76fff0f.exe	79
PID 1404 wrote to memory of 4404	1404	9231913f4042fd60123db9aec9777b5417119648ebb217b0ee3f4890f76fff0f.exe	79
PID 1404 wrote to memory of 4404	1404	9231913f4042fd60123db9aec9777b5417119648ebb217b0ee3f4890f76fff0f.exe	79
PID 4404 wrote to memory of 4392	4404	control.exe	80
PID 4404 wrote to memory of 4392	4404	control.exe	80
PID 4404 wrote to memory of 4392	4404	control.exe	80
PID 4392 wrote to memory of 3488	4392	rundll32.exe	84
PID 4392 wrote to memory of 3488	4392	rundll32.exe	84
PID 3488 wrote to memory of 1828	3488	RunDll32.exe	85
PID 3488 wrote to memory of 1828	3488	RunDll32.exe	85
PID 3488 wrote to memory of 1828	3488	RunDll32.exe	85

C:\Users\Admin\AppData\Local\Temp\9231913f4042fd60123db9aec9777b5417119648ebb217b0ee3f4890f76fff0f.exe
"C:\Users\Admin\AppData\Local\Temp\9231913f4042fd60123db9aec9777b5417119648ebb217b0ee3f4890f76fff0f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\FK03H.KA
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FK03H.KA
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FK03H.KA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3488
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FK03H.KA
        5⤵
        Loads dropped DLL
        
        PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FK03H.KA

Filesize
1.6MB

MD5
21bd6f06f8034b907526998d29780578

SHA1
3fafb61a9b54f01cf7b193d006730b3b89e70798

SHA256
7f3f1ad144214aa35091f803d7f8d7c3135fc2ab7053dabd5219c32dd7a14332

SHA512
2d7d5299eae28707607e922e33e5238490b36a8ac54093ad00a1a276aee2454d2db253373caf49e32f3e371f7ec77ea861112e9b964e66f0b09265040ed72d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\FK03H.ka

Filesize
1.6MB

MD5
21bd6f06f8034b907526998d29780578

SHA1
3fafb61a9b54f01cf7b193d006730b3b89e70798

SHA256
7f3f1ad144214aa35091f803d7f8d7c3135fc2ab7053dabd5219c32dd7a14332

SHA512
2d7d5299eae28707607e922e33e5238490b36a8ac54093ad00a1a276aee2454d2db253373caf49e32f3e371f7ec77ea861112e9b964e66f0b09265040ed72d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\FK03H.ka

Filesize
1.6MB

MD5
21bd6f06f8034b907526998d29780578

SHA1
3fafb61a9b54f01cf7b193d006730b3b89e70798

SHA256
7f3f1ad144214aa35091f803d7f8d7c3135fc2ab7053dabd5219c32dd7a14332

SHA512
2d7d5299eae28707607e922e33e5238490b36a8ac54093ad00a1a276aee2454d2db253373caf49e32f3e371f7ec77ea861112e9b964e66f0b09265040ed72d67

Download Submit
memory/1828-151-0x0000000003370000-0x0000000003487000-memory.dmp

Filesize
1.1MB

Download
memory/1828-148-0x0000000003580000-0x0000000003650000-memory.dmp

Filesize
832KB

Download
memory/1828-147-0x0000000003490000-0x0000000003577000-memory.dmp

Filesize
924KB

Download
memory/1828-145-0x0000000003130000-0x000000000324B000-memory.dmp

Filesize
1.1MB

Download
memory/1828-146-0x0000000003370000-0x0000000003487000-memory.dmp

Filesize
1.1MB

Download
memory/4392-139-0x0000000003240000-0x0000000003310000-memory.dmp

Filesize
832KB

Download
memory/4392-138-0x0000000003150000-0x0000000003237000-memory.dmp

Filesize
924KB

Download
memory/4392-137-0x0000000003030000-0x0000000003147000-memory.dmp

Filesize
1.1MB

Download
memory/4392-136-0x0000000002DF0000-0x0000000002F0B000-memory.dmp

Filesize
1.1MB

Download
memory/4392-152-0x0000000003030000-0x0000000003147000-memory.dmp

Filesize
1.1MB

Download