ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e

Analysis

max time kernel
79s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2023, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e.exe
Size

1.8MB
MD5

4718b5fd089008b96c5d22b11817cbe3
SHA1

8aba85b5356f33c9219484de6351b0a3c266a092
SHA256

ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e
SHA512

f6e95f9f3ce776fd2c988a756e80afa7286fe2b48fc943d27953382e42740c3702510fe80d11d4c4f25790d34ed8dc19c6cc7976edf3f2a46dedd5f989d2cee6
SSDEEP

49152:8VORjZhBfJXAE9iI7NNpj5aDqYnnzdCochYW:cORjZhBfKEEI7Nfj5aDqYnpCoO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e.exe

Loads dropped DLL 2 IoCs

pid	Process
3296	rundll32.exe
4944	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2836	1752	ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e.exe	86
PID 1752 wrote to memory of 2836	1752	ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e.exe	86
PID 1752 wrote to memory of 2836	1752	ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e.exe	86
PID 2836 wrote to memory of 3296	2836	control.exe	87
PID 2836 wrote to memory of 3296	2836	control.exe	87
PID 2836 wrote to memory of 3296	2836	control.exe	87
PID 3296 wrote to memory of 4908	3296	rundll32.exe	90
PID 3296 wrote to memory of 4908	3296	rundll32.exe	90
PID 4908 wrote to memory of 4944	4908	RunDll32.exe	91
PID 4908 wrote to memory of 4944	4908	RunDll32.exe	91
PID 4908 wrote to memory of 4944	4908	RunDll32.exe	91

C:\Users\Admin\AppData\Local\Temp\ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e.exe
"C:\Users\Admin\AppData\Local\Temp\ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\IWRMx.F6
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\IWRMx.F6
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\IWRMx.F6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4908
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\IWRMx.F6
        5⤵
        Loads dropped DLL
        
        PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IWRMx.F6

Filesize
1.2MB

MD5
552eb8d0486409138352887f1c573684

SHA1
9c1756984b20beae6447aaad116b7e5f998aa861

SHA256
935615218c92829eb553a3e2ec13607d0feaf2d4a7e4e9cf93eaa8fc4b01edc2

SHA512
cbf9700b321483b7ad31dbca3a3a194283ee96a193c699c0fa07b9d0682f5ac223b642db0e0ad5069b35a0fb850340a5f634944f8b1ca78db776b342e16950e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IWrMx.f6

Filesize
1.2MB

MD5
552eb8d0486409138352887f1c573684

SHA1
9c1756984b20beae6447aaad116b7e5f998aa861

SHA256
935615218c92829eb553a3e2ec13607d0feaf2d4a7e4e9cf93eaa8fc4b01edc2

SHA512
cbf9700b321483b7ad31dbca3a3a194283ee96a193c699c0fa07b9d0682f5ac223b642db0e0ad5069b35a0fb850340a5f634944f8b1ca78db776b342e16950e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IWrMx.f6

Filesize
1.2MB

MD5
552eb8d0486409138352887f1c573684

SHA1
9c1756984b20beae6447aaad116b7e5f998aa861

SHA256
935615218c92829eb553a3e2ec13607d0feaf2d4a7e4e9cf93eaa8fc4b01edc2

SHA512
cbf9700b321483b7ad31dbca3a3a194283ee96a193c699c0fa07b9d0682f5ac223b642db0e0ad5069b35a0fb850340a5f634944f8b1ca78db776b342e16950e9

Download Submit
memory/3296-147-0x00000000032E0000-0x00000000033C1000-memory.dmp

Filesize
900KB

Download
memory/3296-143-0x00000000031E0000-0x00000000032D9000-memory.dmp

Filesize
996KB

Download
memory/3296-144-0x00000000032E0000-0x00000000033C1000-memory.dmp

Filesize
900KB

Download
memory/3296-142-0x0000000002A50000-0x0000000002A56000-memory.dmp

Filesize
24KB

Download
memory/3296-148-0x00000000032E0000-0x00000000033C1000-memory.dmp

Filesize
900KB

Download
memory/3296-140-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/4944-152-0x0000000002F60000-0x0000000002F66000-memory.dmp

Filesize
24KB

Download
memory/4944-153-0x00000000032A0000-0x0000000003399000-memory.dmp

Filesize
996KB

Download
memory/4944-154-0x00000000033A0000-0x0000000003481000-memory.dmp

Filesize
900KB

Download
memory/4944-157-0x00000000033A0000-0x0000000003481000-memory.dmp

Filesize
900KB

Download
memory/4944-158-0x00000000033A0000-0x0000000003481000-memory.dmp

Filesize
900KB

Download