4dd4123adae0629cb77b98e78b0c5b32f4820aa7ff326b55c8033901c68ff733

Analysis

max time kernel
100s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2023, 15:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4dd4123adae0629cb77b98e78b0c5b32f4820aa7ff326b55c8033901c68ff733.exe
Size

1.4MB
MD5

d95f4a19c3258cd730337860e74f6a6a
SHA1

c4e68f855920cd67a8538a0f2eccdc3a10bf8913
SHA256

4dd4123adae0629cb77b98e78b0c5b32f4820aa7ff326b55c8033901c68ff733
SHA512

1bbda329dedb4172bb9c02f2205490e3b219b4ce2545a220f6002a2c35ee60755bbf4405a3c09a6fdc784080fa19e7e467bced6049d343080e3376ee741cbc10
SSDEEP

24576:gJr8tE+gHql1LRAlwSyz8NrvLbCYrKzgyWGCU+imaqxWyXfJ2wa/5HsSptnDr:gJ4NXVngNbL+YrKzgq67x2wwHsSptDr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	4dd4123adae0629cb77b98e78b0c5b32f4820aa7ff326b55c8033901c68ff733.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	regsvr32.exe
1960	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1960	1120	4dd4123adae0629cb77b98e78b0c5b32f4820aa7ff326b55c8033901c68ff733.exe	84
PID 1120 wrote to memory of 1960	1120	4dd4123adae0629cb77b98e78b0c5b32f4820aa7ff326b55c8033901c68ff733.exe	84
PID 1120 wrote to memory of 1960	1120	4dd4123adae0629cb77b98e78b0c5b32f4820aa7ff326b55c8033901c68ff733.exe	84

C:\Users\Admin\AppData\Local\Temp\4dd4123adae0629cb77b98e78b0c5b32f4820aa7ff326b55c8033901c68ff733.exe
"C:\Users\Admin\AppData\Local\Temp\4dd4123adae0629cb77b98e78b0c5b32f4820aa7ff326b55c8033901c68ff733.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" MkKX0WgC.~ -S
  2⤵
  - Loads dropped DLL
  PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MkKX0WgC.~

Filesize
1.3MB

MD5
3fa0dae069f41e816bb2875218973bcd

SHA1
5e3bcbb34b7af53658b622e4ebac8e8680b21741

SHA256
c812f9e306342a9b2c0a7d809ce9df5f0d0f761e00726cb8547236bb61104352

SHA512
ed541ed8fc6a52bf35f89f1e5dc53f3af6367f17a1f4efbd6b5639cba5a0563e4fb0f7ca25a61691be89326879f427bc3d6be2445ceabb61ccd5f6b6ab5a6182

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkKX0WgC.~

Filesize
1.3MB

MD5
3fa0dae069f41e816bb2875218973bcd

SHA1
5e3bcbb34b7af53658b622e4ebac8e8680b21741

SHA256
c812f9e306342a9b2c0a7d809ce9df5f0d0f761e00726cb8547236bb61104352

SHA512
ed541ed8fc6a52bf35f89f1e5dc53f3af6367f17a1f4efbd6b5639cba5a0563e4fb0f7ca25a61691be89326879f427bc3d6be2445ceabb61ccd5f6b6ab5a6182

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkKX0WgC.~

Filesize
1.3MB

MD5
3fa0dae069f41e816bb2875218973bcd

SHA1
5e3bcbb34b7af53658b622e4ebac8e8680b21741

SHA256
c812f9e306342a9b2c0a7d809ce9df5f0d0f761e00726cb8547236bb61104352

SHA512
ed541ed8fc6a52bf35f89f1e5dc53f3af6367f17a1f4efbd6b5639cba5a0563e4fb0f7ca25a61691be89326879f427bc3d6be2445ceabb61ccd5f6b6ab5a6182

Download Submit
memory/1960-138-0x00000000020A0000-0x00000000021E1000-memory.dmp

Filesize
1.3MB

Download
memory/1960-139-0x00000000020A0000-0x00000000021E1000-memory.dmp

Filesize
1.3MB

Download
memory/1960-141-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/1960-142-0x0000000002430000-0x000000000252A000-memory.dmp

Filesize
1000KB

Download
memory/1960-143-0x0000000002530000-0x0000000002611000-memory.dmp

Filesize
900KB

Download
memory/1960-146-0x0000000002530000-0x0000000002611000-memory.dmp

Filesize
900KB

Download
memory/1960-147-0x0000000002530000-0x0000000002611000-memory.dmp

Filesize
900KB

Download