2b75431818dff82d2efb5f73ec134de61c200e70dec9e84123ccca53c9c6dfad

Analysis

max time kernel
91s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2022 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b75431818dff82d2efb5f73ec134de61c200e70dec9e84123ccca53c9c6dfad.exe
Size

1.3MB
MD5

9ba325c317da1e15f8812b56548d9a3f
SHA1

c9e45984b0c48ecaee7dedbd0ecc6a63ff14948b
SHA256

2b75431818dff82d2efb5f73ec134de61c200e70dec9e84123ccca53c9c6dfad
SHA512

97eac25035049aea3190f4d6426fca777ea7c3c271e569f9a133a7829b32985f1d1261ed52b69850e2207f1be2330fdc3eca3e4fbfa94241b4633278c34da240
SSDEEP

24576:I/XEXjJSFHUKvBmeOm2aO4MbkdIxVZY1JTW297kvnRWVaHp8WZVC1mdIsB7+qobJ:I/oSRQFLW1JR7erHpfkUIzM6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	2b75431818dff82d2efb5f73ec134de61c200e70dec9e84123ccca53c9c6dfad.exe

Loads dropped DLL 1 IoCs

pid	Process
2392	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 2392	748	2b75431818dff82d2efb5f73ec134de61c200e70dec9e84123ccca53c9c6dfad.exe	79
PID 748 wrote to memory of 2392	748	2b75431818dff82d2efb5f73ec134de61c200e70dec9e84123ccca53c9c6dfad.exe	79
PID 748 wrote to memory of 2392	748	2b75431818dff82d2efb5f73ec134de61c200e70dec9e84123ccca53c9c6dfad.exe	79

C:\Users\Admin\AppData\Local\Temp\2b75431818dff82d2efb5f73ec134de61c200e70dec9e84123ccca53c9c6dfad.exe
"C:\Users\Admin\AppData\Local\Temp\2b75431818dff82d2efb5f73ec134de61c200e70dec9e84123ccca53c9c6dfad.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" .\QQjiB8O.L /u /s
  2⤵
  - Loads dropped DLL
  PID:2392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QQjiB8O.L

Filesize
1.4MB

MD5
8e427772d18190b1388995ddc4f057b1

SHA1
dd7dbaea707f1d96b9e03c03c509cddf5cc806da

SHA256
fe2e262151535aa56813e7171403d4ec5eaff462aa64919c2922f7d9348fcfbe

SHA512
4a7f28800000adbecb675f9ca1c0b3405d4b0bb870e7dd5801f39662df52c1f86f6699e1628be0cc33e35251cc1b034e42094b0f02f9a202cf43241799a8e28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQjib8O.l

Filesize
1.4MB

MD5
8e427772d18190b1388995ddc4f057b1

SHA1
dd7dbaea707f1d96b9e03c03c509cddf5cc806da

SHA256
fe2e262151535aa56813e7171403d4ec5eaff462aa64919c2922f7d9348fcfbe

SHA512
4a7f28800000adbecb675f9ca1c0b3405d4b0bb870e7dd5801f39662df52c1f86f6699e1628be0cc33e35251cc1b034e42094b0f02f9a202cf43241799a8e28b

Download Submit
memory/2392-135-0x0000000000400000-0x0000000000567000-memory.dmp

Filesize
1.4MB

Download
memory/2392-138-0x0000000000E30000-0x0000000000E36000-memory.dmp

Filesize
24KB

Download
memory/2392-139-0x00000000029D0000-0x0000000002AAD000-memory.dmp

Filesize
884KB

Download
memory/2392-140-0x0000000002AB0000-0x0000000002B76000-memory.dmp

Filesize
792KB

Download
memory/2392-141-0x0000000002AB0000-0x0000000002B76000-memory.dmp

Filesize
792KB

Download