90a9e895e519c6c866228a938b18b5a0f4aa1da0b908ebc866776dadc4e18a39

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2023 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90a9e895e519c6c866228a938b18b5a0f4aa1da0b908ebc866776dadc4e18a39.exe
Size

1.4MB
MD5

fc6ea13d51db2e8af42a28026605c0e7
SHA1

b5cb0071b801ccfa8f35dcef6eb379671a3697d6
SHA256

90a9e895e519c6c866228a938b18b5a0f4aa1da0b908ebc866776dadc4e18a39
SHA512

bc876e86eb86e8cf557733307debbbb166e4a28d1f7854bd3f5efd2f69ed4a39f57aaa6af4278b2882c54ad7c5ee469bc3262ff7d16cec3fc6fa395fcaa32d18
SSDEEP

24576:O208/RKHuEBPYqkPkhyyL4KdulinFOSKAfkkuw7jSxXfDPlm5BS019Hl1WaoBB6U:908/RYwq1hyyL4fin0SKAfka72xLM5Bq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	90a9e895e519c6c866228a938b18b5a0f4aa1da0b908ebc866776dadc4e18a39.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	regsvr32.exe
2204	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 2204	4460	90a9e895e519c6c866228a938b18b5a0f4aa1da0b908ebc866776dadc4e18a39.exe	79
PID 4460 wrote to memory of 2204	4460	90a9e895e519c6c866228a938b18b5a0f4aa1da0b908ebc866776dadc4e18a39.exe	79
PID 4460 wrote to memory of 2204	4460	90a9e895e519c6c866228a938b18b5a0f4aa1da0b908ebc866776dadc4e18a39.exe	79

C:\Users\Admin\AppData\Local\Temp\90a9e895e519c6c866228a938b18b5a0f4aa1da0b908ebc866776dadc4e18a39.exe
"C:\Users\Admin\AppData\Local\Temp\90a9e895e519c6c866228a938b18b5a0f4aa1da0b908ebc866776dadc4e18a39.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /u .\SHsHP1.B9F /S
  2⤵
  - Loads dropped DLL
  PID:2204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SHsHP1.B9F

Filesize
1.6MB

MD5
2c9e03d4f359d414c4356895c2d7b240

SHA1
df1072c993fad608a8e16140a86c10522b4067c7

SHA256
e7551f54c4e9e0c3d2bfc8d3469b802ddd6eb41055162f9b97097edd38a95114

SHA512
40bfc0f137ac3f8364740fd695d80f0d0cea8d5018bd5a6eaeea61344751690f2cf127b6632f84203fab3499de6ed6a0f2f2906c18bcbdaf15442a8991781c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\shshp1.B9F

Filesize
1.6MB

MD5
2c9e03d4f359d414c4356895c2d7b240

SHA1
df1072c993fad608a8e16140a86c10522b4067c7

SHA256
e7551f54c4e9e0c3d2bfc8d3469b802ddd6eb41055162f9b97097edd38a95114

SHA512
40bfc0f137ac3f8364740fd695d80f0d0cea8d5018bd5a6eaeea61344751690f2cf127b6632f84203fab3499de6ed6a0f2f2906c18bcbdaf15442a8991781c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\shshp1.B9F

Filesize
1.6MB

MD5
2c9e03d4f359d414c4356895c2d7b240

SHA1
df1072c993fad608a8e16140a86c10522b4067c7

SHA256
e7551f54c4e9e0c3d2bfc8d3469b802ddd6eb41055162f9b97097edd38a95114

SHA512
40bfc0f137ac3f8364740fd695d80f0d0cea8d5018bd5a6eaeea61344751690f2cf127b6632f84203fab3499de6ed6a0f2f2906c18bcbdaf15442a8991781c65

Download Submit
memory/2204-136-0x0000000002220000-0x00000000023C6000-memory.dmp

Filesize
1.6MB

Download
memory/2204-137-0x0000000002220000-0x00000000023C6000-memory.dmp

Filesize
1.6MB

Download
memory/2204-140-0x0000000000880000-0x0000000000886000-memory.dmp

Filesize
24KB

Download
memory/2204-141-0x0000000002670000-0x0000000002755000-memory.dmp

Filesize
916KB

Download
memory/2204-142-0x0000000002760000-0x000000000282E000-memory.dmp

Filesize
824KB

Download