cbcfef81fa2754cb9c8497da14cc34455419fd5fd93e1ce0de5f79b1134940a0

Analysis

max time kernel
72s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2022, 20:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cbcfef81fa2754cb9c8497da14cc34455419fd5fd93e1ce0de5f79b1134940a0.exe
Size

1.3MB
MD5

7929b6faca0bbe4352f7ae2f32032be6
SHA1

e1718603f008d69d71a6de4a5487f1018beb3d64
SHA256

cbcfef81fa2754cb9c8497da14cc34455419fd5fd93e1ce0de5f79b1134940a0
SHA512

7619adae98b8f70db338f438bfab12c2054d8525029819300fc2a1073ca94b793506c75aa07202f558ad5ab3d21d4f8133dbbad5c233a7df8dd7ece1c533e747
SSDEEP

24576:4ry2uXzmVL9xm+8N163O6IXIwDDOeORIOm3UrAWYvJwE:4unUxMhOB6ONAHJwE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	cbcfef81fa2754cb9c8497da14cc34455419fd5fd93e1ce0de5f79b1134940a0.exe

Loads dropped DLL 1 IoCs

pid	Process
4728	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 4728	964	cbcfef81fa2754cb9c8497da14cc34455419fd5fd93e1ce0de5f79b1134940a0.exe	83
PID 964 wrote to memory of 4728	964	cbcfef81fa2754cb9c8497da14cc34455419fd5fd93e1ce0de5f79b1134940a0.exe	83
PID 964 wrote to memory of 4728	964	cbcfef81fa2754cb9c8497da14cc34455419fd5fd93e1ce0de5f79b1134940a0.exe	83

C:\Users\Admin\AppData\Local\Temp\cbcfef81fa2754cb9c8497da14cc34455419fd5fd93e1ce0de5f79b1134940a0.exe
"C:\Users\Admin\AppData\Local\Temp\cbcfef81fa2754cb9c8497da14cc34455419fd5fd93e1ce0de5f79b1134940a0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s dFRSM.N /u
  2⤵
  - Loads dropped DLL
  PID:4728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dFRSM.N

Filesize
1.4MB

MD5
cc3686ba46136fd3d995dc9c6eb44423

SHA1
84a0d7c36b4a9798d05985dcd09cf0a97229cd74

SHA256
70a69fe0bbb44a4a4b78e0e7ec757f8865919b6d4078e591718adbe2948a7154

SHA512
c37ec98aca57d35d3a418e5d5226c4f2ad15f95d3aeac715aaad4827d9f9cbe58b4eb16f508a65b22267ad07b83b0d71c1191e6cf8cbe127d31bd962cb6fcf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfRsM.N

Filesize
1.4MB

MD5
cc3686ba46136fd3d995dc9c6eb44423

SHA1
84a0d7c36b4a9798d05985dcd09cf0a97229cd74

SHA256
70a69fe0bbb44a4a4b78e0e7ec757f8865919b6d4078e591718adbe2948a7154

SHA512
c37ec98aca57d35d3a418e5d5226c4f2ad15f95d3aeac715aaad4827d9f9cbe58b4eb16f508a65b22267ad07b83b0d71c1191e6cf8cbe127d31bd962cb6fcf1c

Download Submit
memory/4728-135-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/4728-138-0x00000000007F0000-0x00000000007F6000-memory.dmp

Filesize
24KB

Download
memory/4728-139-0x0000000002770000-0x000000000284D000-memory.dmp

Filesize
884KB

Download
memory/4728-140-0x0000000002850000-0x0000000002916000-memory.dmp

Filesize
792KB

Download
memory/4728-141-0x0000000002850000-0x0000000002916000-memory.dmp

Filesize
792KB

Download