6f1d086e32a4ddec365d5d77712c061d2d5b5c900fd607e928b14014a744005b

Analysis

max time kernel
80s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2023, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f1d086e32a4ddec365d5d77712c061d2d5b5c900fd607e928b14014a744005b.exe
Size

1.5MB
MD5

fb475a36417cbece2bdf3dac36d37264
SHA1

0b1af10d727c913d3a2ccc02ebb61bbfbc637257
SHA256

6f1d086e32a4ddec365d5d77712c061d2d5b5c900fd607e928b14014a744005b
SHA512

bcab3f0fc5b8429730932c7e03a93685af5fcf2ddce7fcca62a500d198ca203a6fc2f8ed6fc65cef1c7d46b4807cf05aa074dbf771b9ef33d0b2ce2c7c3c3d06
SSDEEP

24576:PgZXoZUTVdt7K7Ub/Ui61OSGC0fuoyEMP7jBPgSrEZcAl+pia28hd2fiwbZdojRR:u58i6ICaPIjjZoZcbpi98hVwbZdolqOf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	6f1d086e32a4ddec365d5d77712c061d2d5b5c900fd607e928b14014a744005b.exe

Loads dropped DLL 2 IoCs

pid	Process
4032	rundll32.exe
4516	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 3844	4320	6f1d086e32a4ddec365d5d77712c061d2d5b5c900fd607e928b14014a744005b.exe	84
PID 4320 wrote to memory of 3844	4320	6f1d086e32a4ddec365d5d77712c061d2d5b5c900fd607e928b14014a744005b.exe	84
PID 4320 wrote to memory of 3844	4320	6f1d086e32a4ddec365d5d77712c061d2d5b5c900fd607e928b14014a744005b.exe	84
PID 3844 wrote to memory of 4032	3844	control.exe	85
PID 3844 wrote to memory of 4032	3844	control.exe	85
PID 3844 wrote to memory of 4032	3844	control.exe	85
PID 4032 wrote to memory of 1784	4032	rundll32.exe	89
PID 4032 wrote to memory of 1784	4032	rundll32.exe	89
PID 1784 wrote to memory of 4516	1784	RunDll32.exe	90
PID 1784 wrote to memory of 4516	1784	RunDll32.exe	90
PID 1784 wrote to memory of 4516	1784	RunDll32.exe	90

C:\Users\Admin\AppData\Local\Temp\6f1d086e32a4ddec365d5d77712c061d2d5b5c900fd607e928b14014a744005b.exe
"C:\Users\Admin\AppData\Local\Temp\6f1d086e32a4ddec365d5d77712c061d2d5b5c900fd607e928b14014a744005b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\0oJV.S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\0oJV.S
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\0oJV.S
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\0oJV.S
        5⤵
        Loads dropped DLL
        
        PID:4516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0oJV.S

Filesize
1.2MB

MD5
1152765b7ec3fbe237a778d31dd57e3e

SHA1
eb957ca4de0b8f6838d5199ef576e37b34ac02e6

SHA256
b8373a9830422e1ae9f6277f86d4580777bf938956c477adf3412ef04fb9eb2a

SHA512
7147dc6843acd3bf561dcd4e470a3f6564e2342c05c34654883c4fc2595a18ce5317ec2d94c1519a139e7c8a454b1b96b163312d9e445b33705fe24bfe398dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\0oJV.s

Filesize
1.2MB

MD5
1152765b7ec3fbe237a778d31dd57e3e

SHA1
eb957ca4de0b8f6838d5199ef576e37b34ac02e6

SHA256
b8373a9830422e1ae9f6277f86d4580777bf938956c477adf3412ef04fb9eb2a

SHA512
7147dc6843acd3bf561dcd4e470a3f6564e2342c05c34654883c4fc2595a18ce5317ec2d94c1519a139e7c8a454b1b96b163312d9e445b33705fe24bfe398dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\0oJV.s

Filesize
1.2MB

MD5
1152765b7ec3fbe237a778d31dd57e3e

SHA1
eb957ca4de0b8f6838d5199ef576e37b34ac02e6

SHA256
b8373a9830422e1ae9f6277f86d4580777bf938956c477adf3412ef04fb9eb2a

SHA512
7147dc6843acd3bf561dcd4e470a3f6564e2342c05c34654883c4fc2595a18ce5317ec2d94c1519a139e7c8a454b1b96b163312d9e445b33705fe24bfe398dbc

Download Submit
memory/4032-144-0x0000000002F50000-0x000000000302E000-memory.dmp

Filesize
888KB

Download
memory/4032-140-0x0000000002E50000-0x0000000002F47000-memory.dmp

Filesize
988KB

Download
memory/4032-141-0x0000000002F50000-0x000000000302E000-memory.dmp

Filesize
888KB

Download
memory/4032-139-0x0000000000F90000-0x0000000000F96000-memory.dmp

Filesize
24KB

Download
memory/4032-145-0x0000000002F50000-0x000000000302E000-memory.dmp

Filesize
888KB

Download
memory/4032-137-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/4516-149-0x00000000030A0000-0x00000000030A6000-memory.dmp

Filesize
24KB

Download
memory/4516-150-0x00000000031C0000-0x00000000032B7000-memory.dmp

Filesize
988KB

Download
memory/4516-151-0x00000000032D0000-0x00000000033AE000-memory.dmp

Filesize
888KB

Download
memory/4516-154-0x00000000032D0000-0x00000000033AE000-memory.dmp

Filesize
888KB

Download
memory/4516-155-0x00000000032D0000-0x00000000033AE000-memory.dmp

Filesize
888KB

Download