7c813166bb603b8611dda43549d0df2ebf805aaaab4732f634d2c5c4a895c39d

Analysis

max time kernel
84s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2023, 16:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7c813166bb603b8611dda43549d0df2ebf805aaaab4732f634d2c5c4a895c39d.exe
Size

1.5MB
MD5

670efa40acde78b8db356633585aef6c
SHA1

e233583c647fd6d012aa764f2d6c85a16faa829b
SHA256

7c813166bb603b8611dda43549d0df2ebf805aaaab4732f634d2c5c4a895c39d
SHA512

ac8a14630cae6bd9e2f801e6e83c15949ff5a5932925547577718ac0de27dd0c7c09d1abeb1b7fd3ab1a35a6a22fcd94a10c9a140aec0b9eaaa5dcba4ea82a53
SSDEEP

24576:elMiZMVn1db5AnUZLPq8OfMD9wjXe28gS+dwpbHKgFlioZpa5v859VH4ynG5ce58:5FPEf29eXmgMk5vc1Gvm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	7c813166bb603b8611dda43549d0df2ebf805aaaab4732f634d2c5c4a895c39d.exe

Loads dropped DLL 1 IoCs

pid	Process
1344	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 1344	4912	7c813166bb603b8611dda43549d0df2ebf805aaaab4732f634d2c5c4a895c39d.exe	86
PID 4912 wrote to memory of 1344	4912	7c813166bb603b8611dda43549d0df2ebf805aaaab4732f634d2c5c4a895c39d.exe	86
PID 4912 wrote to memory of 1344	4912	7c813166bb603b8611dda43549d0df2ebf805aaaab4732f634d2c5c4a895c39d.exe	86

C:\Users\Admin\AppData\Local\Temp\7c813166bb603b8611dda43549d0df2ebf805aaaab4732f634d2c5c4a895c39d.exe
"C:\Users\Admin\AppData\Local\Temp\7c813166bb603b8611dda43549d0df2ebf805aaaab4732f634d2c5c4a895c39d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /S .\IAov4S.a /u
  2⤵
  - Loads dropped DLL
  PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IAov4S.a

Filesize
1.1MB

MD5
7a403e20a962eeb6ec3ed2f73d2a7f1b

SHA1
8b94da39c969b70990c6cae83d19f814a843cca8

SHA256
b85c6cec9d5c7b025a306cfbae2f396f411d6520af8e1262ed5c21bf8cbece6b

SHA512
520581c6679b607e6c650b2d016a6124ca967e1040224cc947ad693353734d795714a4a06f8723d44e2ccd898e2f54ec636ce53b4c44c7493844e5a455248356

Download Submit
C:\Users\Admin\AppData\Local\Temp\iaov4s.a

Filesize
1.1MB

MD5
7a403e20a962eeb6ec3ed2f73d2a7f1b

SHA1
8b94da39c969b70990c6cae83d19f814a843cca8

SHA256
b85c6cec9d5c7b025a306cfbae2f396f411d6520af8e1262ed5c21bf8cbece6b

SHA512
520581c6679b607e6c650b2d016a6124ca967e1040224cc947ad693353734d795714a4a06f8723d44e2ccd898e2f54ec636ce53b4c44c7493844e5a455248356

Download Submit
memory/1344-137-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1344-139-0x0000000002DF0000-0x0000000002DF6000-memory.dmp

Filesize
24KB

Download
memory/1344-140-0x0000000003060000-0x0000000003159000-memory.dmp

Filesize
996KB

Download
memory/1344-142-0x0000000003160000-0x0000000003241000-memory.dmp

Filesize
900KB

Download
memory/1344-141-0x0000000003160000-0x0000000003241000-memory.dmp

Filesize
900KB

Download
memory/1344-144-0x0000000003160000-0x0000000003241000-memory.dmp

Filesize
900KB

Download
memory/1344-145-0x0000000003160000-0x0000000003241000-memory.dmp

Filesize
900KB

Download