Analysis
-
max time kernel
90s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 11:19
Static task
static1
Behavioral task
behavioral1
Sample
2f2282447269e153a6b82ff9d615907f4cbee13a6c4cf2addbbe33f0e427d879.exe
Resource
win10v2004-20221111-en
General
-
Target
2f2282447269e153a6b82ff9d615907f4cbee13a6c4cf2addbbe33f0e427d879.exe
-
Size
1.4MB
-
MD5
e26dc323c03fd7fc5b80cbbf1f757803
-
SHA1
e87eefd7e54fcbeb4bfe0d0d8230b701c18d67f9
-
SHA256
2f2282447269e153a6b82ff9d615907f4cbee13a6c4cf2addbbe33f0e427d879
-
SHA512
555aa683c1b7c01e8f0eda05560147ece800bb53ceeca730eaccf597bf3e7c3aa2cedcd111574b02c7deba33d1d74b4b51c655900c1f8f8fd3549b6bcf0c6f12
-
SSDEEP
24576:UDWHSb4N70iKKUsu0Wl53iW9T5z/WOcQ2cZFFIuLI38SYI4O2wWMG:v84L8V/JcQDPL46I4ODVG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2f2282447269e153a6b82ff9d615907f4cbee13a6c4cf2addbbe33f0e427d879.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 2f2282447269e153a6b82ff9d615907f4cbee13a6c4cf2addbbe33f0e427d879.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exepid process 4364 rundll32.exe 4364 rundll32.exe 3968 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2f2282447269e153a6b82ff9d615907f4cbee13a6c4cf2addbbe33f0e427d879.execontrol.exerundll32.exeRunDll32.exedescription pid process target process PID 4716 wrote to memory of 3988 4716 2f2282447269e153a6b82ff9d615907f4cbee13a6c4cf2addbbe33f0e427d879.exe control.exe PID 4716 wrote to memory of 3988 4716 2f2282447269e153a6b82ff9d615907f4cbee13a6c4cf2addbbe33f0e427d879.exe control.exe PID 4716 wrote to memory of 3988 4716 2f2282447269e153a6b82ff9d615907f4cbee13a6c4cf2addbbe33f0e427d879.exe control.exe PID 3988 wrote to memory of 4364 3988 control.exe rundll32.exe PID 3988 wrote to memory of 4364 3988 control.exe rundll32.exe PID 3988 wrote to memory of 4364 3988 control.exe rundll32.exe PID 4364 wrote to memory of 4408 4364 rundll32.exe RunDll32.exe PID 4364 wrote to memory of 4408 4364 rundll32.exe RunDll32.exe PID 4408 wrote to memory of 3968 4408 RunDll32.exe rundll32.exe PID 4408 wrote to memory of 3968 4408 RunDll32.exe rundll32.exe PID 4408 wrote to memory of 3968 4408 RunDll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f2282447269e153a6b82ff9d615907f4cbee13a6c4cf2addbbe33f0e427d879.exe"C:\Users\Admin\AppData\Local\Temp\2f2282447269e153a6b82ff9d615907f4cbee13a6c4cf2addbbe33f0e427d879.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\U_U5.B12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\U_U5.B13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\U_U5.B14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\U_U5.B15⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\U_U5.B1Filesize
1.4MB
MD5cc1e2e03ad0761d2f95842b6d20854ad
SHA17d9aed0eee2cb5fbec7b6a4bfc064e22d855d2cf
SHA256042f8e826dc5956f74d1b35c0b7cd4c0a11ae417077af4cd8c55e030cbce288a
SHA5123f9ee45e284450572906c6e835a54dbcf341329c2852e6e476d408b6fbb49c7f59aa9ed746803f195df058548becb1a311940614f351fbeddd6a175228643d10
-
C:\Users\Admin\AppData\Local\Temp\u_u5.b1Filesize
1.4MB
MD5cc1e2e03ad0761d2f95842b6d20854ad
SHA17d9aed0eee2cb5fbec7b6a4bfc064e22d855d2cf
SHA256042f8e826dc5956f74d1b35c0b7cd4c0a11ae417077af4cd8c55e030cbce288a
SHA5123f9ee45e284450572906c6e835a54dbcf341329c2852e6e476d408b6fbb49c7f59aa9ed746803f195df058548becb1a311940614f351fbeddd6a175228643d10
-
C:\Users\Admin\AppData\Local\Temp\u_u5.b1Filesize
1.4MB
MD5cc1e2e03ad0761d2f95842b6d20854ad
SHA17d9aed0eee2cb5fbec7b6a4bfc064e22d855d2cf
SHA256042f8e826dc5956f74d1b35c0b7cd4c0a11ae417077af4cd8c55e030cbce288a
SHA5123f9ee45e284450572906c6e835a54dbcf341329c2852e6e476d408b6fbb49c7f59aa9ed746803f195df058548becb1a311940614f351fbeddd6a175228643d10
-
C:\Users\Admin\AppData\Local\Temp\u_u5.b1Filesize
1.4MB
MD5cc1e2e03ad0761d2f95842b6d20854ad
SHA17d9aed0eee2cb5fbec7b6a4bfc064e22d855d2cf
SHA256042f8e826dc5956f74d1b35c0b7cd4c0a11ae417077af4cd8c55e030cbce288a
SHA5123f9ee45e284450572906c6e835a54dbcf341329c2852e6e476d408b6fbb49c7f59aa9ed746803f195df058548becb1a311940614f351fbeddd6a175228643d10
-
memory/3968-147-0x0000000000000000-mapping.dmp
-
memory/3968-155-0x0000000003690000-0x0000000003760000-memory.dmpFilesize
832KB
-
memory/3968-153-0x00000000035A0000-0x0000000003687000-memory.dmpFilesize
924KB
-
memory/3968-152-0x0000000002DF0000-0x0000000002DF6000-memory.dmpFilesize
24KB
-
memory/3968-149-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB
-
memory/3988-132-0x0000000000000000-mapping.dmp
-
memory/4364-142-0x00000000027F0000-0x00000000028D7000-memory.dmpFilesize
924KB
-
memory/4364-144-0x00000000028E0000-0x00000000029B0000-memory.dmpFilesize
832KB
-
memory/4364-133-0x0000000000000000-mapping.dmp
-
memory/4364-143-0x00000000028E0000-0x00000000029B0000-memory.dmpFilesize
832KB
-
memory/4364-137-0x0000000002460000-0x00000000025C5000-memory.dmpFilesize
1.4MB
-
memory/4364-141-0x0000000000670000-0x0000000000676000-memory.dmpFilesize
24KB
-
memory/4364-138-0x0000000002460000-0x00000000025C5000-memory.dmpFilesize
1.4MB
-
memory/4408-146-0x0000000000000000-mapping.dmp