e85606bcdd4e4c8b38caee36bfa818a56fb50e392fa08900e800f222fa6a9b00

Analysis

max time kernel
79s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2023 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e85606bcdd4e4c8b38caee36bfa818a56fb50e392fa08900e800f222fa6a9b00.exe
Size

1.4MB
MD5

d66c2e685bfc89fd929da6470282fd2e
SHA1

502a6fee82a994b876c28a2cbd1bbaa23356ac47
SHA256

e85606bcdd4e4c8b38caee36bfa818a56fb50e392fa08900e800f222fa6a9b00
SHA512

e39027cd07b5838010aa1cd0304a3be15f69aa160e5d339e4bf3cd08543a29a344eb49d80ca138a4682f8a7f567e35b61e0c74de3889c34249c6cf1eb198b027
SSDEEP

24576:gJr8tE+gHqzAeiU9ynuwHqJEh2rgXz1ayx77U/G4GmZd1KtQ79lcoVxEBKbDsCns:gJ4Nc5KJEYrCt97ARGmz1KcP/VxEIUCs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	e85606bcdd4e4c8b38caee36bfa818a56fb50e392fa08900e800f222fa6a9b00.exe

Loads dropped DLL 1 IoCs

pid	Process
552	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 552	5068	e85606bcdd4e4c8b38caee36bfa818a56fb50e392fa08900e800f222fa6a9b00.exe	83
PID 5068 wrote to memory of 552	5068	e85606bcdd4e4c8b38caee36bfa818a56fb50e392fa08900e800f222fa6a9b00.exe	83
PID 5068 wrote to memory of 552	5068	e85606bcdd4e4c8b38caee36bfa818a56fb50e392fa08900e800f222fa6a9b00.exe	83

C:\Users\Admin\AppData\Local\Temp\e85606bcdd4e4c8b38caee36bfa818a56fb50e392fa08900e800f222fa6a9b00.exe
"C:\Users\Admin\AppData\Local\Temp\e85606bcdd4e4c8b38caee36bfa818a56fb50e392fa08900e800f222fa6a9b00.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -S 5l6F.SYB
  2⤵
  - Loads dropped DLL
  PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5l6F.SYB

Filesize
1.2MB

MD5
be189ea51ffb06cd9702fd09e3cda904

SHA1
73f5d9e34c0c1a7d6552dfc4203e16b9b01afd95

SHA256
a0f42f3e38d6f3e238c38d70c4f340bb486cd38b086f38b281c7096a5dc8e4d3

SHA512
93b264fb53085435b21c5d813dc0e96e925020748ead2906078ba0154894a88d398d41d7e7c4462341a5635bab4c2dd4e6091ec62a9139fb5d60e4b35e128d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\5l6F.sYB

Filesize
1.2MB

MD5
be189ea51ffb06cd9702fd09e3cda904

SHA1
73f5d9e34c0c1a7d6552dfc4203e16b9b01afd95

SHA256
a0f42f3e38d6f3e238c38d70c4f340bb486cd38b086f38b281c7096a5dc8e4d3

SHA512
93b264fb53085435b21c5d813dc0e96e925020748ead2906078ba0154894a88d398d41d7e7c4462341a5635bab4c2dd4e6091ec62a9139fb5d60e4b35e128d25

Download Submit
memory/552-137-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/552-139-0x0000000001440000-0x0000000001446000-memory.dmp

Filesize
24KB

Download
memory/552-140-0x0000000003090000-0x0000000003185000-memory.dmp

Filesize
980KB

Download
memory/552-141-0x0000000003190000-0x000000000326D000-memory.dmp

Filesize
884KB

Download
memory/552-144-0x0000000003190000-0x000000000326D000-memory.dmp

Filesize
884KB

Download
memory/552-145-0x0000000003190000-0x000000000326D000-memory.dmp

Filesize
884KB

Download