f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5

Analysis

max time kernel
96s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2023, 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5.exe
Size

1.6MB
MD5

810f82751a3d891a7ae5444c66672aa9
SHA1

7b0adcfec821117787f664997e54755c9b5c9b66
SHA256

f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5
SHA512

f53a26b566690c23ff3acecc2c2bd5c210a5394b371ee1d1dba86926ccefa1369b2837498d3e58b3d486d7d292c86a27d63832c818f2ced729568634c5864d39
SSDEEP

49152:4u4m8lluJ7FWMa9RaYKH++rE2xqgAt4RrUSqMP7c7B:4u4HAFvYKH+uE2PAQpncN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5.exe

Loads dropped DLL 2 IoCs

pid	Process
1032	rundll32.exe
5080	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 3508	1480	f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5.exe	86
PID 1480 wrote to memory of 3508	1480	f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5.exe	86
PID 1480 wrote to memory of 3508	1480	f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5.exe	86
PID 3508 wrote to memory of 1032	3508	control.exe	87
PID 3508 wrote to memory of 1032	3508	control.exe	87
PID 3508 wrote to memory of 1032	3508	control.exe	87
PID 1032 wrote to memory of 2860	1032	rundll32.exe	94
PID 1032 wrote to memory of 2860	1032	rundll32.exe	94
PID 2860 wrote to memory of 5080	2860	RunDll32.exe	95
PID 2860 wrote to memory of 5080	2860	RunDll32.exe	95
PID 2860 wrote to memory of 5080	2860	RunDll32.exe	95

C:\Users\Admin\AppData\Local\Temp\f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5.exe
"C:\Users\Admin\AppData\Local\Temp\f68ef9447b68a22a1b7a275e1ba08682562aea659464097917035bfdcce514a5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\SIB6.mLQ
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\SIB6.mLQ
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\SIB6.mLQ
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\SIB6.mLQ
        5⤵
        Loads dropped DLL
        
        PID:5080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SIB6.mLQ

Filesize
1.1MB

MD5
3d03d4259bf7bbef153b82f316035f83

SHA1
e73a72fcaa764f21907558445a9d6576191a3971

SHA256
572104331ec59d7c2ed8df9decc17979c74e52448b9e59c703c2b2baded47a47

SHA512
e04f1a2a0f0851c52e0410c8446dae604d57124cd8b9a44d2e6808458c4e599f1201cf67515b18546a81ca1953e0bd7c51c2cd9d407ee30a45549738b2b97d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sib6.mlQ

Filesize
1.1MB

MD5
3d03d4259bf7bbef153b82f316035f83

SHA1
e73a72fcaa764f21907558445a9d6576191a3971

SHA256
572104331ec59d7c2ed8df9decc17979c74e52448b9e59c703c2b2baded47a47

SHA512
e04f1a2a0f0851c52e0410c8446dae604d57124cd8b9a44d2e6808458c4e599f1201cf67515b18546a81ca1953e0bd7c51c2cd9d407ee30a45549738b2b97d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sib6.mlQ

Filesize
1.1MB

MD5
3d03d4259bf7bbef153b82f316035f83

SHA1
e73a72fcaa764f21907558445a9d6576191a3971

SHA256
572104331ec59d7c2ed8df9decc17979c74e52448b9e59c703c2b2baded47a47

SHA512
e04f1a2a0f0851c52e0410c8446dae604d57124cd8b9a44d2e6808458c4e599f1201cf67515b18546a81ca1953e0bd7c51c2cd9d407ee30a45549738b2b97d05

Download Submit
memory/1032-139-0x0000000000D80000-0x0000000000D86000-memory.dmp

Filesize
24KB

Download
memory/1032-140-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

Filesize
1024KB

Download
memory/1032-141-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1032-142-0x0000000002DE0000-0x0000000002EC7000-memory.dmp

Filesize
924KB

Download
memory/1032-145-0x0000000002DE0000-0x0000000002EC7000-memory.dmp

Filesize
924KB

Download
memory/1032-146-0x0000000002DE0000-0x0000000002EC7000-memory.dmp

Filesize
924KB

Download
memory/1032-137-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5080-150-0x0000000002840000-0x0000000002846000-memory.dmp

Filesize
24KB

Download
memory/5080-152-0x0000000002D00000-0x0000000002E00000-memory.dmp

Filesize
1024KB

Download
memory/5080-153-0x0000000002E00000-0x0000000002EE7000-memory.dmp

Filesize
924KB

Download
memory/5080-156-0x0000000002E00000-0x0000000002EE7000-memory.dmp

Filesize
924KB

Download
memory/5080-157-0x0000000002E00000-0x0000000002EE7000-memory.dmp

Filesize
924KB

Download