c1d70dce1510d832f64e405cdf2699cd52cc8238899367b9430029c57953e5e6

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2023 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1d70dce1510d832f64e405cdf2699cd52cc8238899367b9430029c57953e5e6.exe
Size

1.7MB
MD5

36f78a8ea81e6d55c52863c62e503e1c
SHA1

6182c738a307b10e5edbd708ea0461716ba7f3d7
SHA256

c1d70dce1510d832f64e405cdf2699cd52cc8238899367b9430029c57953e5e6
SHA512

5759a738da456e1e38d3cb255223fc0f9afde500703ad29874af35243ba41e36824822a353c3267d3bb81b59fc153d8236e260afb2f588922e16f2c4eae1ec70
SSDEEP

49152:beWh6RBfJXAE6UtM4QswSqg+nIN0U3ab/Mm4XXdX4nGId:beWh6RBfKEToTgkIBabEm49X4nGq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c1d70dce1510d832f64e405cdf2699cd52cc8238899367b9430029c57953e5e6.exe

Loads dropped DLL 2 IoCs

pid	Process
4760	msiexec.exe
4760	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 4760	1628	c1d70dce1510d832f64e405cdf2699cd52cc8238899367b9430029c57953e5e6.exe	80
PID 1628 wrote to memory of 4760	1628	c1d70dce1510d832f64e405cdf2699cd52cc8238899367b9430029c57953e5e6.exe	80
PID 1628 wrote to memory of 4760	1628	c1d70dce1510d832f64e405cdf2699cd52cc8238899367b9430029c57953e5e6.exe	80

C:\Users\Admin\AppData\Local\Temp\c1d70dce1510d832f64e405cdf2699cd52cc8238899367b9430029c57953e5e6.exe
"C:\Users\Admin\AppData\Local\Temp\c1d70dce1510d832f64e405cdf2699cd52cc8238899367b9430029c57953e5e6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /Y .\GNWUCUHD.0x
  2⤵
  - Loads dropped DLL
  PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GNWUCUHD.0x

Filesize
1.5MB

MD5
62ee43288f936534ab7b5d07d32a472d

SHA1
c25d1e93d9c6895c14e05708e780e605ea421243

SHA256
fd201e86ce68d269cd82f64ff3152b7e4a5a3c4e04433bc923c5154215a383e8

SHA512
47d090cc20809136bfd45715fae7436cd5dfa8c32a1141d01ab4d71c08bcd9b4d0fb78ddc99f254f5bdea4e8fb0b128b33f4d4008f09c2f6e6599d9b2ede6f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GnWucuhd.0x

Filesize
1.5MB

MD5
62ee43288f936534ab7b5d07d32a472d

SHA1
c25d1e93d9c6895c14e05708e780e605ea421243

SHA256
fd201e86ce68d269cd82f64ff3152b7e4a5a3c4e04433bc923c5154215a383e8

SHA512
47d090cc20809136bfd45715fae7436cd5dfa8c32a1141d01ab4d71c08bcd9b4d0fb78ddc99f254f5bdea4e8fb0b128b33f4d4008f09c2f6e6599d9b2ede6f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GnWucuhd.0x

Filesize
1.5MB

MD5
62ee43288f936534ab7b5d07d32a472d

SHA1
c25d1e93d9c6895c14e05708e780e605ea421243

SHA256
fd201e86ce68d269cd82f64ff3152b7e4a5a3c4e04433bc923c5154215a383e8

SHA512
47d090cc20809136bfd45715fae7436cd5dfa8c32a1141d01ab4d71c08bcd9b4d0fb78ddc99f254f5bdea4e8fb0b128b33f4d4008f09c2f6e6599d9b2ede6f8d

Download Submit
memory/4760-136-0x0000000002680000-0x00000000027FF000-memory.dmp

Filesize
1.5MB

Download
memory/4760-137-0x0000000002680000-0x00000000027FF000-memory.dmp

Filesize
1.5MB

Download
memory/4760-140-0x0000000000880000-0x0000000000886000-memory.dmp

Filesize
24KB

Download
memory/4760-141-0x0000000002A70000-0x0000000002B61000-memory.dmp

Filesize
964KB

Download
memory/4760-142-0x0000000002B70000-0x0000000002C4A000-memory.dmp

Filesize
872KB

Download