d0727d8b1c4e1965879ab4b4c3307e84ca421477a02ea6d1a06707a3621742f9

Analysis

max time kernel
143s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2023, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0727d8b1c4e1965879ab4b4c3307e84ca421477a02ea6d1a06707a3621742f9.exe
Size

1.6MB
MD5

611eb67b23a08dc63e88eb5aeee6855c
SHA1

dcb20256dfe4c1732ca1b6e2152050e09aed6b14
SHA256

d0727d8b1c4e1965879ab4b4c3307e84ca421477a02ea6d1a06707a3621742f9
SHA512

69a287d52533e3566d93e7492b63f2ef5f1f90629d65d7ae9e7ba492b1bf9726ba6c8909bc774045b2a0c85b90ae0c7e65434755ecea186bfac62708a69bca2f
SSDEEP

49152:2fWhNaBfJXAE3JVFAJ6FGMG6ALyyOrIgxky:2fWhNaBfKEVXFGp6Zr3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	d0727d8b1c4e1965879ab4b4c3307e84ca421477a02ea6d1a06707a3621742f9.exe

Loads dropped DLL 1 IoCs

pid	Process
924	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 924	4132	d0727d8b1c4e1965879ab4b4c3307e84ca421477a02ea6d1a06707a3621742f9.exe	84
PID 4132 wrote to memory of 924	4132	d0727d8b1c4e1965879ab4b4c3307e84ca421477a02ea6d1a06707a3621742f9.exe	84
PID 4132 wrote to memory of 924	4132	d0727d8b1c4e1965879ab4b4c3307e84ca421477a02ea6d1a06707a3621742f9.exe	84

C:\Users\Admin\AppData\Local\Temp\d0727d8b1c4e1965879ab4b4c3307e84ca421477a02ea6d1a06707a3621742f9.exe
"C:\Users\Admin\AppData\Local\Temp\d0727d8b1c4e1965879ab4b4c3307e84ca421477a02ea6d1a06707a3621742f9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" .\0OM0j7G.P /S
  2⤵
  - Loads dropped DLL
  PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0OM0j7G.P

Filesize
1.0MB

MD5
5c2fc38e9c306d6e482ce405fd7d99c6

SHA1
c73218e085b196147303b42bcef3cb2a56467a4b

SHA256
a53334052fb7544b98cc3f808e73ec4d49357003aea9e8ea3d232fd1b1b15801

SHA512
5987df3e725e4a6daa380d5915a4f4d8b51322c890389b8455a02cdc1e702324ae00577e3408134d47bbb829596a1b0264d468a41e6ef5706069025c431affa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0oM0j7g.P

Filesize
1.0MB

MD5
5c2fc38e9c306d6e482ce405fd7d99c6

SHA1
c73218e085b196147303b42bcef3cb2a56467a4b

SHA256
a53334052fb7544b98cc3f808e73ec4d49357003aea9e8ea3d232fd1b1b15801

SHA512
5987df3e725e4a6daa380d5915a4f4d8b51322c890389b8455a02cdc1e702324ae00577e3408134d47bbb829596a1b0264d468a41e6ef5706069025c431affa1

Download Submit
memory/924-137-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/924-139-0x0000000000D10000-0x0000000000D16000-memory.dmp

Filesize
24KB

Download
memory/924-140-0x0000000002720000-0x0000000002805000-memory.dmp

Filesize
916KB

Download
memory/924-141-0x0000000002A20000-0x0000000002AEE000-memory.dmp

Filesize
824KB

Download
memory/924-144-0x0000000002A20000-0x0000000002AEE000-memory.dmp

Filesize
824KB

Download
memory/924-145-0x0000000002A20000-0x0000000002AEE000-memory.dmp

Filesize
824KB

Download