83af78c196b5bfdd9fb7cf6dcc703419b294b53a38385af36cc7a98d228d97c3

Analysis

max time kernel
90s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/12/2022, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83af78c196b5bfdd9fb7cf6dcc703419b294b53a38385af36cc7a98d228d97c3.exe
Size

2.4MB
MD5

17270e6f6046ac0721f3647d6552492c
SHA1

46ecf362c7e836c763bc26b9cee836ba787d2c9e
SHA256

83af78c196b5bfdd9fb7cf6dcc703419b294b53a38385af36cc7a98d228d97c3
SHA512

e9f804ad1366a95871d8b9827702bf7730e824e058d588091a340e54f26ed0b6f6e2047cc75333856f2a0aea5f8bc6e5b52dda6415c7b632524648081abd34b5
SSDEEP

49152:mFKjBkFkki7yPsWXrW8duk8TP8Y3XkDPdE25iok0z6cPjbwb:mFKdpoWyu98Y3XWC2nR6cPQb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	83af78c196b5bfdd9fb7cf6dcc703419b294b53a38385af36cc7a98d228d97c3.exe

Loads dropped DLL 2 IoCs

pid	Process
4756	rundll32.exe
1504	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 2220	3092	83af78c196b5bfdd9fb7cf6dcc703419b294b53a38385af36cc7a98d228d97c3.exe	80
PID 3092 wrote to memory of 2220	3092	83af78c196b5bfdd9fb7cf6dcc703419b294b53a38385af36cc7a98d228d97c3.exe	80
PID 3092 wrote to memory of 2220	3092	83af78c196b5bfdd9fb7cf6dcc703419b294b53a38385af36cc7a98d228d97c3.exe	80
PID 2220 wrote to memory of 4756	2220	control.exe	81
PID 2220 wrote to memory of 4756	2220	control.exe	81
PID 2220 wrote to memory of 4756	2220	control.exe	81
PID 4756 wrote to memory of 3852	4756	rundll32.exe	85
PID 4756 wrote to memory of 3852	4756	rundll32.exe	85
PID 3852 wrote to memory of 1504	3852	RunDll32.exe	86
PID 3852 wrote to memory of 1504	3852	RunDll32.exe	86
PID 3852 wrote to memory of 1504	3852	RunDll32.exe	86

C:\Users\Admin\AppData\Local\Temp\83af78c196b5bfdd9fb7cf6dcc703419b294b53a38385af36cc7a98d228d97c3.exe
"C:\Users\Admin\AppData\Local\Temp\83af78c196b5bfdd9fb7cf6dcc703419b294b53a38385af36cc7a98d228d97c3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\6pIgVGRU.y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\6pIgVGRU.y
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\6pIgVGRU.y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\6pIgVGRU.y
        5⤵
        Loads dropped DLL
        
        PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6pIgVGRU.y

Filesize
2.2MB

MD5
12aa6634cc103c3a2fc30779130b82bc

SHA1
b3d57a487de4a19364b0256e15c05f3faf94caaa

SHA256
f986e995daf5e3be62008fbc9244c3771cf44365924d22d4fbe34a7c1819e327

SHA512
a4e019a025f6987c4914575c53dd7983f96aeab21e33aa71bf4cd138febb8d8554e1ac778d006d3ca3084bb401b6833e5d1d7431c1b5f299685965412370e716

Download Submit
C:\Users\Admin\AppData\Local\Temp\6pigVGRu.y

Filesize
2.2MB

MD5
12aa6634cc103c3a2fc30779130b82bc

SHA1
b3d57a487de4a19364b0256e15c05f3faf94caaa

SHA256
f986e995daf5e3be62008fbc9244c3771cf44365924d22d4fbe34a7c1819e327

SHA512
a4e019a025f6987c4914575c53dd7983f96aeab21e33aa71bf4cd138febb8d8554e1ac778d006d3ca3084bb401b6833e5d1d7431c1b5f299685965412370e716

Download Submit
C:\Users\Admin\AppData\Local\Temp\6pigVGRu.y

Filesize
2.2MB

MD5
12aa6634cc103c3a2fc30779130b82bc

SHA1
b3d57a487de4a19364b0256e15c05f3faf94caaa

SHA256
f986e995daf5e3be62008fbc9244c3771cf44365924d22d4fbe34a7c1819e327

SHA512
a4e019a025f6987c4914575c53dd7983f96aeab21e33aa71bf4cd138febb8d8554e1ac778d006d3ca3084bb401b6833e5d1d7431c1b5f299685965412370e716

Download Submit
memory/1504-152-0x00000000033B0000-0x00000000035DB000-memory.dmp

Filesize
2.2MB

Download
memory/1504-149-0x0000000003CC0000-0x0000000003DA2000-memory.dmp

Filesize
904KB

Download
memory/1504-148-0x0000000003280000-0x0000000003379000-memory.dmp

Filesize
996KB

Download
memory/1504-145-0x00000000033B0000-0x00000000035DB000-memory.dmp

Filesize
2.2MB

Download
memory/4756-136-0x00000000032A0000-0x00000000034CB000-memory.dmp

Filesize
2.2MB

Download
memory/4756-139-0x0000000003070000-0x0000000003152000-memory.dmp

Filesize
904KB

Download
memory/4756-146-0x00000000032A0000-0x00000000034CB000-memory.dmp

Filesize
2.2MB

Download
memory/4756-147-0x0000000073480000-0x00000000736B6000-memory.dmp

Filesize
2.2MB

Download
memory/4756-138-0x0000000002F40000-0x0000000003039000-memory.dmp

Filesize
996KB

Download
memory/4756-137-0x0000000073480000-0x00000000736B6000-memory.dmp

Filesize
2.2MB

Download