620c1a7f0a09c08aaafd8fb0e1ba3bc288b9aa9d22b97ccd0feddd5536fba400

Analysis

max time kernel
91s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2023, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

620c1a7f0a09c08aaafd8fb0e1ba3bc288b9aa9d22b97ccd0feddd5536fba400.exe
Size

1.3MB
MD5

3d0d5b2b3d0581eb6a6a386079b7e1ec
SHA1

780201aef7ce831d110c25de087950987fe555c6
SHA256

620c1a7f0a09c08aaafd8fb0e1ba3bc288b9aa9d22b97ccd0feddd5536fba400
SHA512

105bd19a6a2a1b3c98a4993664dfc35656d449bca6d9efc66c0fd3f287b32b280ae43d9cbf0d3507010e79c5729a57856fe6be5d47733fd2f17cb7fb4d5baec8
SSDEEP

24576:O208/RKHuEBNPn6E8UU6dWPLoDCQxMUjd3KzczKj9yb52T4K8U:908/RYRt8qWTKjlARxvbl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	620c1a7f0a09c08aaafd8fb0e1ba3bc288b9aa9d22b97ccd0feddd5536fba400.exe

Loads dropped DLL 1 IoCs

pid	Process
4024	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 4024	3788	620c1a7f0a09c08aaafd8fb0e1ba3bc288b9aa9d22b97ccd0feddd5536fba400.exe	79
PID 3788 wrote to memory of 4024	3788	620c1a7f0a09c08aaafd8fb0e1ba3bc288b9aa9d22b97ccd0feddd5536fba400.exe	79
PID 3788 wrote to memory of 4024	3788	620c1a7f0a09c08aaafd8fb0e1ba3bc288b9aa9d22b97ccd0feddd5536fba400.exe	79

C:\Users\Admin\AppData\Local\Temp\620c1a7f0a09c08aaafd8fb0e1ba3bc288b9aa9d22b97ccd0feddd5536fba400.exe
"C:\Users\Admin\AppData\Local\Temp\620c1a7f0a09c08aaafd8fb0e1ba3bc288b9aa9d22b97ccd0feddd5536fba400.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /Y .\lETwPX.Q
  2⤵
  - Loads dropped DLL
  PID:4024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lETwPX.Q

Filesize
1.4MB

MD5
1a688dee6d7417182604e852453e9150

SHA1
88737766eda32624f228e9f2fbeb7330db575541

SHA256
0f600ac9dfddfa6c7376b96de97eeefb4a93e0e551c3aab767cdc68614abcca8

SHA512
2f40a18b03a1e25599243e56eef9b226898a8e3645eacba6a9fee7cb6e8d73162e691284ff35302a4a2dcf22aadcd88f2cdbe57ca79420913d6dd55e383e85f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lETwpX.q

Filesize
1.4MB

MD5
1a688dee6d7417182604e852453e9150

SHA1
88737766eda32624f228e9f2fbeb7330db575541

SHA256
0f600ac9dfddfa6c7376b96de97eeefb4a93e0e551c3aab767cdc68614abcca8

SHA512
2f40a18b03a1e25599243e56eef9b226898a8e3645eacba6a9fee7cb6e8d73162e691284ff35302a4a2dcf22aadcd88f2cdbe57ca79420913d6dd55e383e85f0

Download Submit
memory/4024-135-0x0000000000400000-0x0000000000567000-memory.dmp

Filesize
1.4MB

Download
memory/4024-138-0x0000000002C60000-0x0000000002C66000-memory.dmp

Filesize
24KB

Download
memory/4024-139-0x0000000003390000-0x0000000003470000-memory.dmp

Filesize
896KB

Download
memory/4024-140-0x0000000003470000-0x0000000003538000-memory.dmp

Filesize
800KB

Download