f497e4b4803604e44fffbf8602d3234699d928bbd57ac42552731fbf3dd76edd

Analysis

max time kernel
96s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2023, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f497e4b4803604e44fffbf8602d3234699d928bbd57ac42552731fbf3dd76edd.exe
Size

1.3MB
MD5

f0c0b5c28b77bbffd388c1022d390912
SHA1

1c040f317966d873ff1feb32fa54e09598ff8331
SHA256

f497e4b4803604e44fffbf8602d3234699d928bbd57ac42552731fbf3dd76edd
SHA512

37972da33d10a4ff9e6b3a78ad8472fe0542adf4f21dd67edfb556b96dd61a3f0b0f3a1e5d926d0988d7b739886212ee5c5f0efdd88ab1ba25b732549d3d956d
SSDEEP

24576:gJr8tE+gHqxTyhZwqSQxWUSfT3YuJqoIhT+sshuCbzUx/0ydtf4z8AsoDPS727:gJ4NxswqJWUK0BFsZQOu52nsoDPi27

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	f497e4b4803604e44fffbf8602d3234699d928bbd57ac42552731fbf3dd76edd.exe

Loads dropped DLL 1 IoCs

pid	Process
1248	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1248	1308	f497e4b4803604e44fffbf8602d3234699d928bbd57ac42552731fbf3dd76edd.exe	86
PID 1308 wrote to memory of 1248	1308	f497e4b4803604e44fffbf8602d3234699d928bbd57ac42552731fbf3dd76edd.exe	86
PID 1308 wrote to memory of 1248	1308	f497e4b4803604e44fffbf8602d3234699d928bbd57ac42552731fbf3dd76edd.exe	86

C:\Users\Admin\AppData\Local\Temp\f497e4b4803604e44fffbf8602d3234699d928bbd57ac42552731fbf3dd76edd.exe
"C:\Users\Admin\AppData\Local\Temp\f497e4b4803604e44fffbf8602d3234699d928bbd57ac42552731fbf3dd76edd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" -y .\TfDA5.klA
  2⤵
  - Loads dropped DLL
  PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TfDA5.klA

Filesize
1.1MB

MD5
ea65e58e992974784b9c801ed170489e

SHA1
570c43dbe51b81c5c2c6f33bd1342452ff4063d7

SHA256
bb5634826a8bf867006b42e23d8eb032b82a27cd2d398fa8420426f7d8d3feab

SHA512
b1ce7eb196a4db95f28c6b67db494957673e13eeaf1a4bdbb033b7da864432414f82d7db318edaf8f9b2bdb95cedbaa08a44990badd447ad9d5f0ff63ac83dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TfdA5.kla

Filesize
1.1MB

MD5
ea65e58e992974784b9c801ed170489e

SHA1
570c43dbe51b81c5c2c6f33bd1342452ff4063d7

SHA256
bb5634826a8bf867006b42e23d8eb032b82a27cd2d398fa8420426f7d8d3feab

SHA512
b1ce7eb196a4db95f28c6b67db494957673e13eeaf1a4bdbb033b7da864432414f82d7db318edaf8f9b2bdb95cedbaa08a44990badd447ad9d5f0ff63ac83dc0

Download Submit
memory/1248-137-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1248-139-0x0000000001080000-0x0000000001086000-memory.dmp

Filesize
24KB

Download
memory/1248-140-0x0000000002D70000-0x0000000002E52000-memory.dmp

Filesize
904KB

Download
memory/1248-141-0x0000000002E60000-0x0000000002F2A000-memory.dmp

Filesize
808KB

Download
memory/1248-144-0x0000000002E60000-0x0000000002F2A000-memory.dmp

Filesize
808KB

Download
memory/1248-145-0x0000000002E60000-0x0000000002F2A000-memory.dmp

Filesize
808KB

Download