4a43060f20b5a2c811c69eee2a9e851f535c87c66918089899ec0e3709e4bc9c

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2023 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202331554102115001.exe
Size

2.6MB
MD5

1410468282b8d97acf1b56101f4b3e03
SHA1

344214f1c127e787097028898def5c2142b6cca6
SHA256

94f0d29ac20454f36d60659242ded64b2de01a8c4f1a87c5b09f55ca4fd3dde0
SHA512

8e351d32a3cead13d25565571c123c421c5f135c7c6d127a93eaa3c65e096a747373b1d6f3c9c430a170a78dc195a4ca884fc13762cacd5c9ce06bc189d79a4d
SSDEEP

49152:484XeFIX0bWKr8Up608UydN9VSvBlCKJE3OrhXFrDX2i3XHvnOUQm5Du6z:4peFIOxr8UcUyf+lCUE3ahXFraoHG6Rz

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

202331554102115001.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	202331554102115001.exe

Executes dropped EXE 1 IoCs

Processes:

Project.exe

pid process

452 Project.exe
Loads dropped DLL 1 IoCs

Processes:

Project.exe

pid process

452 Project.exe

pid	process
452	Project.exe

pid	process
452	Project.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe	upx
behavioral2/memory/452-148-0x0000000000400000-0x0000000000F90000-memory.dmp	upx
behavioral2/memory/452-150-0x0000000000400000-0x0000000000F90000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

202331554102115001.exe

description	pid	process	target process
PID 4640 wrote to memory of 452	4640	202331554102115001.exe	Project.exe
PID 4640 wrote to memory of 452	4640	202331554102115001.exe	Project.exe
PID 4640 wrote to memory of 452	4640	202331554102115001.exe	Project.exe

C:\Users\Admin\AppData\Local\Temp\202331554102115001.exe
"C:\Users\Admin\AppData\Local\Temp\202331554102115001.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4640

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
Filesize
3.1MB

MD5
5bdbc44010073a6053e6b2c3d7b7cf5f

SHA1
c059f65c254b103a0693f5d8f28b9e41c67ac6d7

SHA256
f10cebcd73447a0a30a3480ef42f3fcda3fc746ee40b0c731df3da63fb76ac2f

SHA512
9b584e181ad5be76486bf2e62a7af73ef1d706c862eb64ef54a25868cd093db10c26fb3a03e2b2b12d7565ffa84fbbe7dfec17e7ab508728fe1ac7db41c97325

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
Filesize
3.1MB

MD5
5bdbc44010073a6053e6b2c3d7b7cf5f

SHA1
c059f65c254b103a0693f5d8f28b9e41c67ac6d7

SHA256
f10cebcd73447a0a30a3480ef42f3fcda3fc746ee40b0c731df3da63fb76ac2f

SHA512
9b584e181ad5be76486bf2e62a7af73ef1d706c862eb64ef54a25868cd093db10c26fb3a03e2b2b12d7565ffa84fbbe7dfec17e7ab508728fe1ac7db41c97325

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VMProtectSDK32.dll
Filesize
98KB

MD5
29e0b67635a30d87d929bc1614eff68f

SHA1
180a56d7fb6473ae8449fea7f2e6f105e9e5bb0b

SHA256
b2dd017dd8bf60e5a439a202af9e4dbd8a4bf57d72e6dc7528484c6f34eadc8e

SHA512
68a8266a1a6f2b270e9dff6b553fff4f7557ed05496aa8007b29a3bacfcf9d4228175a34460ceb43a797e8e7f44d7b33088c67fd835e3e56c64e92868ef27c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VMProtectSDK32.dll
Filesize
98KB

MD5
29e0b67635a30d87d929bc1614eff68f

SHA1
180a56d7fb6473ae8449fea7f2e6f105e9e5bb0b

SHA256
b2dd017dd8bf60e5a439a202af9e4dbd8a4bf57d72e6dc7528484c6f34eadc8e

SHA512
68a8266a1a6f2b270e9dff6b553fff4f7557ed05496aa8007b29a3bacfcf9d4228175a34460ceb43a797e8e7f44d7b33088c67fd835e3e56c64e92868ef27c49

Download Submit
memory/452-148-0x0000000000400000-0x0000000000F90000-memory.dmp

Filesize
11.6MB

Download
memory/452-149-0x00000000015B0000-0x00000000015B1000-memory.dmp

Filesize
4KB

Download
memory/452-150-0x0000000000400000-0x0000000000F90000-memory.dmp

Filesize
11.6MB

Download