b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9

Analysis

max time kernel
91s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2023, 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe
Size

11.9MB
MD5

fb4debd112aceb8682f807251ad5a916
SHA1

68ac6f256cdb5fb4dd49504915fb5e23ec68d4d6
SHA256

b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9
SHA512

17f362c89624b278296f8e1f73e100e165b81d13ee7dca277229b6a9596f2513fb9639349620a2b55badbb8c5c55521f01c51ffe918fb063b3a061cdd8d36bdb
SSDEEP

196608:xEP+6cL/922hPs7wcjJoRkT1Rz+ie8YqS0PTMhcst6qlz/djYdCK02WtuniyskwQ:2P+6a08U7wclleCLTMhcy6qlz1R92Uu1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe

Executes dropped EXE 2 IoCs

pid	Process
2324	setup.exe
4216	is-BM0QC.tmp

Loads dropped DLL 2 IoCs

pid	Process
4216	is-BM0QC.tmp
4216	is-BM0QC.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2324	1180	b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe	81
PID 1180 wrote to memory of 2324	1180	b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe	81
PID 1180 wrote to memory of 2324	1180	b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe	81
PID 2324 wrote to memory of 4216	2324	setup.exe	82
PID 2324 wrote to memory of 4216	2324	setup.exe	82
PID 2324 wrote to memory of 4216	2324	setup.exe	82

C:\Users\Admin\AppData\Local\Temp\b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe
"C:\Users\Admin\AppData\Local\Temp\b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1180
- C:\RepTasks2012\setup.exe
  "C:\RepTasks2012\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\is-1E9Q9.tmp\is-BM0QC.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-1E9Q9.tmp\is-BM0QC.tmp" /SL4 $5011A C:\RepTasks2012\setup.exe 7742148 72704
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RepTasks2012\setup.exe

Filesize
10.6MB

MD5
339917d6c5f2ca27cc9b13cb6da6bea2

SHA1
88899ca8178def48f8c2d78a7c009a74e2889efe

SHA256
5e355e921951e8456f98c38163f182d8ddaa4d24eb126c93177f0a8d09de227d

SHA512
347a5ba8c739a8f9c33764162b9116d281c922687e6ae99f325b9044c8655680b3f02c045dfb901243e3b1dba14f8c6784b5dfb71aa5e874929b54774e3cd950

Download Submit
C:\RepTasks2012\setup.exe

Filesize
10.6MB

MD5
339917d6c5f2ca27cc9b13cb6da6bea2

SHA1
88899ca8178def48f8c2d78a7c009a74e2889efe

SHA256
5e355e921951e8456f98c38163f182d8ddaa4d24eb126c93177f0a8d09de227d

SHA512
347a5ba8c739a8f9c33764162b9116d281c922687e6ae99f325b9044c8655680b3f02c045dfb901243e3b1dba14f8c6784b5dfb71aa5e874929b54774e3cd950

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1E9Q9.tmp\is-BM0QC.tmp

Filesize
13.3MB

MD5
dfaa0ffd9ca26dd3bafcda07e6e601eb

SHA1
e89c038b24172a86e3b0b2f007e043631aa05a2e

SHA256
cc5597b5a6c9dfb96d3a5079cf42f27ef7e5e1cf914c050bcb2602914921df48

SHA512
0707c6f6e29543bf7f7fe159dca74832ede537c61b5b2abbb368cfe7511e224faabccfc1836abb03b920f35d00b033fc0c19723263264d2f5b2d0a1513ca4269

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1E9Q9.tmp\is-BM0QC.tmp

Filesize
13.3MB

MD5
dfaa0ffd9ca26dd3bafcda07e6e601eb

SHA1
e89c038b24172a86e3b0b2f007e043631aa05a2e

SHA256
cc5597b5a6c9dfb96d3a5079cf42f27ef7e5e1cf914c050bcb2602914921df48

SHA512
0707c6f6e29543bf7f7fe159dca74832ede537c61b5b2abbb368cfe7511e224faabccfc1836abb03b920f35d00b033fc0c19723263264d2f5b2d0a1513ca4269

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F1AUJ.tmp\_isdecmp.dll

Filesize
12KB

MD5
9f015911c4073ba9b8ad5a4c36fcaf88

SHA1
d4bd8d2348a2a6294f3f92ad7831f2cf660da6a5

SHA256
c630fb87c007c1e3d008eac97edf7e025c0cb806c886971e32b7063d606fd125

SHA512
c36dc582141259ec0813edf531431870f96acc346e3f9af0cd86544245a84bb2d6bc4c37518bf309fa0922cdd5535d087e4fef20f0d5aa0494b1a4b0ce388ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F1AUJ.tmp\_isdecmp.dll

Filesize
12KB

MD5
9f015911c4073ba9b8ad5a4c36fcaf88

SHA1
d4bd8d2348a2a6294f3f92ad7831f2cf660da6a5

SHA256
c630fb87c007c1e3d008eac97edf7e025c0cb806c886971e32b7063d606fd125

SHA512
c36dc582141259ec0813edf531431870f96acc346e3f9af0cd86544245a84bb2d6bc4c37518bf309fa0922cdd5535d087e4fef20f0d5aa0494b1a4b0ce388ea9

Download Submit
memory/2324-135-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2324-137-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2324-144-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4216-143-0x00000000032E1000-0x00000000032E3000-memory.dmp

Filesize
8KB

Download