Analysis
-
max time kernel
96s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2023, 23:29
Static task
static1
Behavioral task
behavioral1
Sample
f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5.exe
Resource
win10v2004-20230220-en
General
-
Target
f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5.exe
-
Size
1.6MB
-
MD5
810f82751a3d891a7ae5444c66672aa9
-
SHA1
7b0adcfec821117787f664997e54755c9b5c9b66
-
SHA256
f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5
-
SHA512
f53a26b566690c23ff3acecc2c2bd5c210a5394b371ee1d1dba86926ccefa1369b2837498d3e58b3d486d7d292c86a27d63832c818f2ced729568634c5864d39
-
SSDEEP
49152:4u4m8lluJ7FWMa9RaYKH++rE2xqgAt4RrUSqMP7c7B:4u4HAFvYKH+uE2PAQpncN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5.exe -
Loads dropped DLL 2 IoCs
pid Process 1032 rundll32.exe 5080 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1480 wrote to memory of 3508 1480 f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5.exe 86 PID 1480 wrote to memory of 3508 1480 f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5.exe 86 PID 1480 wrote to memory of 3508 1480 f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5.exe 86 PID 3508 wrote to memory of 1032 3508 control.exe 87 PID 3508 wrote to memory of 1032 3508 control.exe 87 PID 3508 wrote to memory of 1032 3508 control.exe 87 PID 1032 wrote to memory of 2860 1032 rundll32.exe 94 PID 1032 wrote to memory of 2860 1032 rundll32.exe 94 PID 2860 wrote to memory of 5080 2860 RunDll32.exe 95 PID 2860 wrote to memory of 5080 2860 RunDll32.exe 95 PID 2860 wrote to memory of 5080 2860 RunDll32.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5.exe"C:\Users\Admin\AppData\Local\Temp\f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\SIB6.mLQ2⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\SIB6.mLQ3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\SIB6.mLQ4⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\SIB6.mLQ5⤵
- Loads dropped DLL
PID:5080
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD53d03d4259bf7bbef153b82f316035f83
SHA1e73a72fcaa764f21907558445a9d6576191a3971
SHA256572104331ec59d7c2ed8df9decc17979c74e52448b9e59c703c2b2baded47a47
SHA512e04f1a2a0f0851c52e0410c8446dae604d57124cd8b9a44d2e6808458c4e599f1201cf67515b18546a81ca1953e0bd7c51c2cd9d407ee30a45549738b2b97d05
-
Filesize
1.1MB
MD53d03d4259bf7bbef153b82f316035f83
SHA1e73a72fcaa764f21907558445a9d6576191a3971
SHA256572104331ec59d7c2ed8df9decc17979c74e52448b9e59c703c2b2baded47a47
SHA512e04f1a2a0f0851c52e0410c8446dae604d57124cd8b9a44d2e6808458c4e599f1201cf67515b18546a81ca1953e0bd7c51c2cd9d407ee30a45549738b2b97d05
-
Filesize
1.1MB
MD53d03d4259bf7bbef153b82f316035f83
SHA1e73a72fcaa764f21907558445a9d6576191a3971
SHA256572104331ec59d7c2ed8df9decc17979c74e52448b9e59c703c2b2baded47a47
SHA512e04f1a2a0f0851c52e0410c8446dae604d57124cd8b9a44d2e6808458c4e599f1201cf67515b18546a81ca1953e0bd7c51c2cd9d407ee30a45549738b2b97d05