5aa0008ac7a204787006240fd234dc1fab888fd200b42d605f00ab970173cdb1

Analysis

max time kernel
91s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2022 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aa0008ac7a204787006240fd234dc1fab888fd200b42d605f00ab970173cdb1.exe
Size

1.5MB
MD5

140baf80ebfd2cff1e5369ac024cf5e3
SHA1

ae65b5aae18f10f3a5964b6d9bdf29f9663624ac
SHA256

5aa0008ac7a204787006240fd234dc1fab888fd200b42d605f00ab970173cdb1
SHA512

6a62d44a0f7390526b1bff9d68dacc62e63d8eb8f6110816b2492cb57381f7edb6cc25ed9e61cc96eb9b96d080e238efa5ac5ec48810bbe8c2e86da18b51a9df
SSDEEP

24576:I/XEXjJSFHUKliHQy+mMEjX98KlPreQ3VCceVC8XaoWpjMqRZ32GPcnk6tnwh118:I/oSlyjv8KxdVCceVjaoWpj7ywikMQ1y

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	5aa0008ac7a204787006240fd234dc1fab888fd200b42d605f00ab970173cdb1.exe

Loads dropped DLL 2 IoCs

pid	Process
2432	rundll32.exe
4592	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	5aa0008ac7a204787006240fd234dc1fab888fd200b42d605f00ab970173cdb1.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 444 wrote to memory of 4840	444	5aa0008ac7a204787006240fd234dc1fab888fd200b42d605f00ab970173cdb1.exe	81
PID 444 wrote to memory of 4840	444	5aa0008ac7a204787006240fd234dc1fab888fd200b42d605f00ab970173cdb1.exe	81
PID 444 wrote to memory of 4840	444	5aa0008ac7a204787006240fd234dc1fab888fd200b42d605f00ab970173cdb1.exe	81
PID 4840 wrote to memory of 2432	4840	control.exe	83
PID 4840 wrote to memory of 2432	4840	control.exe	83
PID 4840 wrote to memory of 2432	4840	control.exe	83
PID 2432 wrote to memory of 5008	2432	rundll32.exe	90
PID 2432 wrote to memory of 5008	2432	rundll32.exe	90
PID 5008 wrote to memory of 4592	5008	RunDll32.exe	91
PID 5008 wrote to memory of 4592	5008	RunDll32.exe	91
PID 5008 wrote to memory of 4592	5008	RunDll32.exe	91

C:\Users\Admin\AppData\Local\Temp\5aa0008ac7a204787006240fd234dc1fab888fd200b42d605f00ab970173cdb1.exe
"C:\Users\Admin\AppData\Local\Temp\5aa0008ac7a204787006240fd234dc1fab888fd200b42d605f00ab970173cdb1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:444
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\KrAIi_.CPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\KrAIi_.CPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\KrAIi_.CPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\KrAIi_.CPL",
        5⤵
        Loads dropped DLL
        
        PID:4592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KrAIi_.CPL

Filesize
1.4MB

MD5
a56cdbc11d83cca62523ef1d20435a54

SHA1
27b4d383546489ca04cb7aaee9a9de71ada93e84

SHA256
89a91d63c5658ef1286967d1f8cfc21ebeb9f18d124be21fbb88fd56af3595ee

SHA512
9b3fba9e7d7aedbb664cc6953a98898f8e0809320daa31e456dbeff1f9124f732f772155eb3123ab780276a764af88cc163891fb4de56bd4d1d0a4136e481012

Download Submit
C:\Users\Admin\AppData\Local\Temp\KraIi_.cpl

Filesize
1.4MB

MD5
a56cdbc11d83cca62523ef1d20435a54

SHA1
27b4d383546489ca04cb7aaee9a9de71ada93e84

SHA256
89a91d63c5658ef1286967d1f8cfc21ebeb9f18d124be21fbb88fd56af3595ee

SHA512
9b3fba9e7d7aedbb664cc6953a98898f8e0809320daa31e456dbeff1f9124f732f772155eb3123ab780276a764af88cc163891fb4de56bd4d1d0a4136e481012

Download Submit
C:\Users\Admin\AppData\Local\Temp\KraIi_.cpl

Filesize
1.4MB

MD5
a56cdbc11d83cca62523ef1d20435a54

SHA1
27b4d383546489ca04cb7aaee9a9de71ada93e84

SHA256
89a91d63c5658ef1286967d1f8cfc21ebeb9f18d124be21fbb88fd56af3595ee

SHA512
9b3fba9e7d7aedbb664cc6953a98898f8e0809320daa31e456dbeff1f9124f732f772155eb3123ab780276a764af88cc163891fb4de56bd4d1d0a4136e481012

Download Submit
memory/2432-138-0x0000000002CB0000-0x0000000002D95000-memory.dmp

Filesize
916KB

Download
memory/2432-136-0x0000000002670000-0x00000000027D2000-memory.dmp

Filesize
1.4MB

Download
memory/2432-137-0x0000000073280000-0x00000000733EA000-memory.dmp

Filesize
1.4MB

Download
memory/2432-139-0x0000000002DB0000-0x0000000002E80000-memory.dmp

Filesize
832KB

Download
memory/4592-145-0x0000000002240000-0x00000000023A2000-memory.dmp

Filesize
1.4MB

Download
memory/4592-146-0x0000000002BE0000-0x0000000002CC5000-memory.dmp

Filesize
916KB

Download
memory/4592-147-0x0000000002CD0000-0x0000000002DA0000-memory.dmp

Filesize
832KB

Download