373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16

Analysis

max time kernel
1s
max time network
3s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2023 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exe
Size

422KB
MD5

c01519ccb12236a0977c1654ead8f14e
SHA1

33cdbfa6067bf67108724dcdeeb7014748ff0896
SHA256

373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16
SHA512

64e04c9a8aee4bc29ac4d89a19a2b4194a35616bc35c55c0be617c6173a35d2f5551a4040a47a9fd77a335b46f2ccaa782e6d613f1d33acac5004be0aed359a3
SSDEEP

6144:qBnmeG0xkz6C2U/2aqg9JBP/W9OGxEx82mThudVzCjmece9staSOdq9gmbn72:OGlaKpWcGOx2udQueAOIlC

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

lmkqj.exe

pid process

3760 lmkqj.exe

pid	process
3760	lmkqj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lmkqj.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfcledy = "C:\\Users\\Admin\\AppData\\Roaming\\hkcddcd\\vgeyjkvexfnacj.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lmkqj.exe\" C:\\Users\\Admin\\AppData\\Loc"	lmkqj.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

lmkqj.exe

description pid process target process

PID 3760 set thread context of 1360 3760 lmkqj.exe lmkqj.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

lmkqj.exe

pid process

3760 lmkqj.exe

description	pid	process	target process
PID 3760 set thread context of 1360	3760	lmkqj.exe	lmkqj.exe

pid	process
3760	lmkqj.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exelmkqj.exe

description	pid	process	target process
PID 4656 wrote to memory of 3760	4656	373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exe	lmkqj.exe
PID 4656 wrote to memory of 3760	4656	373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exe	lmkqj.exe
PID 4656 wrote to memory of 3760	4656	373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exe	lmkqj.exe
PID 3760 wrote to memory of 1360	3760	lmkqj.exe	lmkqj.exe
PID 3760 wrote to memory of 1360	3760	lmkqj.exe	lmkqj.exe
PID 3760 wrote to memory of 1360	3760	lmkqj.exe	lmkqj.exe
PID 3760 wrote to memory of 1360	3760	lmkqj.exe	lmkqj.exe

C:\Users\Admin\AppData\Local\Temp\373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exe
"C:\Users\Admin\AppData\Local\Temp\373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Local\Temp\lmkqj.exe
"C:\Users\Admin\AppData\Local\Temp\lmkqj.exe" C:\Users\Admin\AppData\Local\Temp\gjzvkkyig.re
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3760

C:\Users\Admin\AppData\Local\Temp\lmkqj.exe
"C:\Users\Admin\AppData\Local\Temp\lmkqj.exe"
3⤵
PID:1360

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gjzvkkyig.re
Filesize
7KB

MD5
10f8e90e2dd7401fb3f721c98c81288e

SHA1
39b43b5d48b4a2d87429d967465f26c5917f32c7

SHA256
a8410a9f41d2af96098d194e8dabd8ad01760bd7d5460a06feefcac929009bc9

SHA512
0806cb941029c6eb4c73f6ab7a7b8f18b66dd7934ab752e2e55819a672bd3dcfcd0c60b706c1294c451ae5a2e8a02d18fe29097bcefae0d721aadca3998aa29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmkqj.exe
Filesize
13KB

MD5
37c9b73565b20f58bdc6d5dd737d61a3

SHA1
c0888e25fd15cf927e36352bdf387c183d09211e

SHA256
60af5163fda45456f8d1e013932b7f1fb4dc008b052b2dabfe747ed0b6845f91

SHA512
d0a90d95eda915fb0e45b8133913126408628609c7cfad22f69cc9575d999319c616f5a0ed60fd38bf5a25b4459504c8b5ff187c9704fa6ec68cefc3b010a01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmkqj.exe
Filesize
13KB

MD5
37c9b73565b20f58bdc6d5dd737d61a3

SHA1
c0888e25fd15cf927e36352bdf387c183d09211e

SHA256
60af5163fda45456f8d1e013932b7f1fb4dc008b052b2dabfe747ed0b6845f91

SHA512
d0a90d95eda915fb0e45b8133913126408628609c7cfad22f69cc9575d999319c616f5a0ed60fd38bf5a25b4459504c8b5ff187c9704fa6ec68cefc3b010a01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svlqdv.hgm
Filesize
185KB

MD5
b640508ca8194b7b7154e5284657d371

SHA1
a2c067da18b2180182eb61de6db7fcce59085e58

SHA256
1c6c854da27054259309d47bc738f711072ba7e75d3a2f2a18a8368c47a21adf

SHA512
0242e6c28b4f8a23cb9d0b611e33ef1097904850e54bbad1d0a62052e30083218fa7edc90f30d5f6c4432580f9f0b2c55d86068088f6980380e22197bb480c82

Download Submit
memory/1360-137-0x0000000000000000-mapping.dmp

Download
memory/3760-132-0x0000000000000000-mapping.dmp

Download