76a607dc1424fd68b573710c12ca6e63877358f446d27952339a9af06723b847

Analysis

max time kernel
90s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15/02/2023, 07:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

76a607dc1424fd68b573710c12ca6e63877358f446d27952339a9af06723b847.exe
Size

1.3MB
MD5

e35b037a28288fce45f4ec21d088f2c8
SHA1

aae7e973f57a89f11fd9c7b1546a98591ce5c62a
SHA256

76a607dc1424fd68b573710c12ca6e63877358f446d27952339a9af06723b847
SHA512

1238a44ece3d3ac2d4510e095a4bb926aca0f59cfb7bdb442d1f29374758fb97b8474ec2a7247ba24e14fd68609e1eae590545560d18356b127de352c018bd87
SSDEEP

24576:YLeTtjJFtHrKEAPL+3ufjZ7ZEoC6YlDewzIeD6cLmicEJR8zlMtQri0j2+i:YLYkEYeubJZhAZewzX+QmeilMmrs+i

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	76a607dc1424fd68b573710c12ca6e63877358f446d27952339a9af06723b847.exe

Loads dropped DLL 2 IoCs

pid	Process
4812	rundll32.exe
616	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 4876	2696	76a607dc1424fd68b573710c12ca6e63877358f446d27952339a9af06723b847.exe	82
PID 2696 wrote to memory of 4876	2696	76a607dc1424fd68b573710c12ca6e63877358f446d27952339a9af06723b847.exe	82
PID 2696 wrote to memory of 4876	2696	76a607dc1424fd68b573710c12ca6e63877358f446d27952339a9af06723b847.exe	82
PID 4876 wrote to memory of 4812	4876	control.exe	83
PID 4876 wrote to memory of 4812	4876	control.exe	83
PID 4876 wrote to memory of 4812	4876	control.exe	83
PID 4812 wrote to memory of 880	4812	rundll32.exe	84
PID 4812 wrote to memory of 880	4812	rundll32.exe	84
PID 880 wrote to memory of 616	880	RunDll32.exe	85
PID 880 wrote to memory of 616	880	RunDll32.exe	85
PID 880 wrote to memory of 616	880	RunDll32.exe	85

C:\Users\Admin\AppData\Local\Temp\76a607dc1424fd68b573710c12ca6e63877358f446d27952339a9af06723b847.exe
"C:\Users\Admin\AppData\Local\Temp\76a607dc1424fd68b573710c12ca6e63877358f446d27952339a9af06723b847.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\aM63ShYF.BEl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\aM63ShYF.BEl
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\aM63ShYF.BEl
      4⤵
      Suspicious use of WriteProcessMemory
      PID:880
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\aM63ShYF.BEl
        5⤵
        Loads dropped DLL
        
        PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aM63ShYF.BEl

Filesize
1.4MB

MD5
2ba6d78c8c4435e937bd133ed0e39022

SHA1
1c2c5e8d698f22b188e48a7ee9a353f3c400fe96

SHA256
aeb5c8e24e7aecf0fc0dc56b70cc846f9e267df3bd9478ac763c2ab82027a430

SHA512
bebdb403a5aef21d85a460fcd9d1a0727973bf608cbb59ffb05beebd548e6015c676091e683a0a22d414e00944451eeefbb82481b5633a6dc9cd923955e51d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\am63shYF.Bel

Filesize
1.4MB

MD5
2ba6d78c8c4435e937bd133ed0e39022

SHA1
1c2c5e8d698f22b188e48a7ee9a353f3c400fe96

SHA256
aeb5c8e24e7aecf0fc0dc56b70cc846f9e267df3bd9478ac763c2ab82027a430

SHA512
bebdb403a5aef21d85a460fcd9d1a0727973bf608cbb59ffb05beebd548e6015c676091e683a0a22d414e00944451eeefbb82481b5633a6dc9cd923955e51d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\am63shYF.Bel

Filesize
1.4MB

MD5
2ba6d78c8c4435e937bd133ed0e39022

SHA1
1c2c5e8d698f22b188e48a7ee9a353f3c400fe96

SHA256
aeb5c8e24e7aecf0fc0dc56b70cc846f9e267df3bd9478ac763c2ab82027a430

SHA512
bebdb403a5aef21d85a460fcd9d1a0727973bf608cbb59ffb05beebd548e6015c676091e683a0a22d414e00944451eeefbb82481b5633a6dc9cd923955e51d67

Download Submit
memory/616-153-0x0000000002CE0000-0x0000000002DB2000-memory.dmp

Filesize
840KB

Download
memory/616-151-0x0000000002BF0000-0x0000000002CD9000-memory.dmp

Filesize
932KB

Download
memory/616-150-0x0000000000D00000-0x0000000000D06000-memory.dmp

Filesize
24KB

Download
memory/4812-142-0x0000000003440000-0x0000000003512000-memory.dmp

Filesize
840KB

Download
memory/4812-141-0x0000000003440000-0x0000000003512000-memory.dmp

Filesize
840KB

Download
memory/4812-140-0x0000000003340000-0x0000000003429000-memory.dmp

Filesize
932KB

Download
memory/4812-137-0x0000000001420000-0x0000000001426000-memory.dmp

Filesize
24KB

Download
memory/4812-136-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download