62a9a4a09e83bc1ba11bfd726f28324236ca3ec638c7cc46c39aff3ca8f2d9a2

Resubmissions

17/03/2023, 06:31

230317-g95zkaef24 7

12/03/2023, 18:45

230312-xebp8sha2t 7

Analysis

max time kernel
261s
max time network
265s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2023, 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

4.3MB
MD5

36eed7c142e558ed187afea4f6c949c3
SHA1

907d03e167621f5685ad8aae482faebf9cffdd7b
SHA256

62a9a4a09e83bc1ba11bfd726f28324236ca3ec638c7cc46c39aff3ca8f2d9a2
SHA512

bf4916e9a532606e2520bbc24dea60ef496f84891974fcb1b3b469d23deae6563b6fb30291fd67ac3f18bcaea5e14680e195f9310550d0a8ce8b66d0cd448102
SSDEEP

98304:I6/sYnlE/5X3BsTpdKl1aDeL2QeLPb/K+EH/:4sWRHGe1GJVPTOH/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1260	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1260	rundll32.exe
1260	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1260	rundll32.exe
1260	rundll32.exe
1260	rundll32.exe
1260	rundll32.exe
1260	rundll32.exe
1260	rundll32.exe
4308	powershell.exe
1260	rundll32.exe
1260	rundll32.exe
4308	powershell.exe
1548	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	1548	dllhost.exe
Token: SeIncreaseQuotaPrivilege	1548	dllhost.exe
Token: SeSecurityPrivilege	1548	dllhost.exe
Token: SeTakeOwnershipPrivilege	1548	dllhost.exe
Token: SeLoadDriverPrivilege	1548	dllhost.exe
Token: SeSystemProfilePrivilege	1548	dllhost.exe
Token: SeSystemtimePrivilege	1548	dllhost.exe
Token: SeProfSingleProcessPrivilege	1548	dllhost.exe
Token: SeIncBasePriorityPrivilege	1548	dllhost.exe
Token: SeCreatePagefilePrivilege	1548	dllhost.exe
Token: SeBackupPrivilege	1548	dllhost.exe
Token: SeRestorePrivilege	1548	dllhost.exe
Token: SeShutdownPrivilege	1548	dllhost.exe
Token: SeDebugPrivilege	1548	dllhost.exe
Token: SeSystemEnvironmentPrivilege	1548	dllhost.exe
Token: SeRemoteShutdownPrivilege	1548	dllhost.exe
Token: SeUndockPrivilege	1548	dllhost.exe
Token: SeManageVolumePrivilege	1548	dllhost.exe
Token: 33	1548	dllhost.exe
Token: 34	1548	dllhost.exe
Token: 35	1548	dllhost.exe
Token: 36	1548	dllhost.exe
Token: SeIncreaseQuotaPrivilege	1548	dllhost.exe
Token: SeSecurityPrivilege	1548	dllhost.exe
Token: SeTakeOwnershipPrivilege	1548	dllhost.exe
Token: SeLoadDriverPrivilege	1548	dllhost.exe
Token: SeSystemProfilePrivilege	1548	dllhost.exe
Token: SeSystemtimePrivilege	1548	dllhost.exe
Token: SeProfSingleProcessPrivilege	1548	dllhost.exe
Token: SeIncBasePriorityPrivilege	1548	dllhost.exe
Token: SeCreatePagefilePrivilege	1548	dllhost.exe
Token: SeBackupPrivilege	1548	dllhost.exe
Token: SeRestorePrivilege	1548	dllhost.exe
Token: SeShutdownPrivilege	1548	dllhost.exe
Token: SeDebugPrivilege	1548	dllhost.exe
Token: SeSystemEnvironmentPrivilege	1548	dllhost.exe
Token: SeRemoteShutdownPrivilege	1548	dllhost.exe
Token: SeUndockPrivilege	1548	dllhost.exe
Token: SeManageVolumePrivilege	1548	dllhost.exe
Token: 33	1548	dllhost.exe
Token: 34	1548	dllhost.exe
Token: 35	1548	dllhost.exe
Token: 36	1548	dllhost.exe
Token: SeIncreaseQuotaPrivilege	1548	dllhost.exe
Token: SeSecurityPrivilege	1548	dllhost.exe
Token: SeTakeOwnershipPrivilege	1548	dllhost.exe
Token: SeLoadDriverPrivilege	1548	dllhost.exe
Token: SeSystemProfilePrivilege	1548	dllhost.exe
Token: SeSystemtimePrivilege	1548	dllhost.exe
Token: SeProfSingleProcessPrivilege	1548	dllhost.exe
Token: SeIncBasePriorityPrivilege	1548	dllhost.exe
Token: SeCreatePagefilePrivilege	1548	dllhost.exe
Token: SeBackupPrivilege	1548	dllhost.exe
Token: SeRestorePrivilege	1548	dllhost.exe
Token: SeShutdownPrivilege	1548	dllhost.exe
Token: SeDebugPrivilege	1548	dllhost.exe
Token: SeSystemEnvironmentPrivilege	1548	dllhost.exe
Token: SeRemoteShutdownPrivilege	1548	dllhost.exe
Token: SeUndockPrivilege	1548	dllhost.exe
Token: SeManageVolumePrivilege	1548	dllhost.exe
Token: 33	1548	dllhost.exe
Token: 34	1548	dllhost.exe
Token: 35	1548	dllhost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 1260	4940	tmp.exe	85
PID 4940 wrote to memory of 1260	4940	tmp.exe	85
PID 4940 wrote to memory of 1260	4940	tmp.exe	85
PID 4940 wrote to memory of 1260	4940	tmp.exe	85
PID 4940 wrote to memory of 1260	4940	tmp.exe	85
PID 4940 wrote to memory of 4308	4940	tmp.exe	86
PID 4940 wrote to memory of 4308	4940	tmp.exe	86
PID 4940 wrote to memory of 4308	4940	tmp.exe	86
PID 4940 wrote to memory of 4308	4940	tmp.exe	86
PID 4940 wrote to memory of 4308	4940	tmp.exe	86
PID 1260 wrote to memory of 1548	1260	rundll32.exe	88
PID 1260 wrote to memory of 1548	1260	rundll32.exe	88
PID 1260 wrote to memory of 1548	1260	rundll32.exe	88
PID 1260 wrote to memory of 1548	1260	rundll32.exe	88
PID 1260 wrote to memory of 1548	1260	rundll32.exe	88
PID 1260 wrote to memory of 1548	1260	rundll32.exe	88
PID 1260 wrote to memory of 1548	1260	rundll32.exe	88

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" cache.tmp,cleanup
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\System32\dllhost.exe
    dllhost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Remove-Item 'C:\Users\Admin\AppData\Local\Temp\tmp.exe' -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k0egc0jn.z5j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb87C4.tmp

Filesize
1KB

MD5
95b30b4831f432124e970713da9485ad

SHA1
f94da006bcb480ecfaf9043dd52b5650a906dc06

SHA256
9e489490152484dc08fdaeb35b66b48d11e78bc294c8ad0c8bde1cb8101493f6

SHA512
cb3ea06f9ed7360bc865541aeb8d2d6dbd3c7618bddf298b5c67caa891145317a617efb71a2235581dedba64bc2c351e185bf8866dec98d3707aed0849f32b0d

Download Submit
memory/1260-170-0x00007FF485500000-0x00007FF4858D1000-memory.dmp

Filesize
3.8MB

Download
memory/1260-177-0x0000021B55EB0000-0x0000021B55F53000-memory.dmp

Filesize
652KB

Download
memory/1260-135-0x0000021B57EE0000-0x0000021B581EB000-memory.dmp

Filesize
3.0MB

Download
memory/1260-141-0x0000021B55EB0000-0x0000021B55F53000-memory.dmp

Filesize
652KB

Download
memory/1260-156-0x00000003AF2D0000-0x00000003B012F000-memory.dmp

Filesize
14.4MB

Download
memory/1260-144-0x00000003AF2D0000-0x00000003B012F000-memory.dmp

Filesize
14.4MB

Download
memory/1260-158-0x00000003AF2D0000-0x00000003B012F000-memory.dmp

Filesize
14.4MB

Download
memory/1260-148-0x00000003AF2D0000-0x00000003B012F000-memory.dmp

Filesize
14.4MB

Download
memory/1260-133-0x0000021B55EB0000-0x0000021B55F53000-memory.dmp

Filesize
652KB

Download
memory/1260-151-0x00007FFE78E70000-0x00007FFE78E80000-memory.dmp

Filesize
64KB

Download
memory/1260-134-0x0000021B55EB0000-0x0000021B55F53000-memory.dmp

Filesize
652KB

Download
memory/1260-153-0x00000003AF2D0000-0x00000003B012F000-memory.dmp

Filesize
14.4MB

Download
memory/1260-157-0x00000003AF2D0000-0x00000003B012F000-memory.dmp

Filesize
14.4MB

Download
memory/1548-200-0x000001B420A40000-0x000001B420AE3000-memory.dmp

Filesize
652KB

Download
memory/1548-198-0x000001B43C7C0000-0x000001B43C7D0000-memory.dmp

Filesize
64KB

Download
memory/1548-181-0x00007FFEF8C70000-0x00007FFEF8E65000-memory.dmp

Filesize
2.0MB

Download
memory/1548-197-0x000001B43C7C0000-0x000001B43C7D0000-memory.dmp

Filesize
64KB

Download
memory/1548-201-0x00007FFE78E70000-0x00007FFE78E80000-memory.dmp

Filesize
64KB

Download
memory/1548-199-0x000001B43C7C0000-0x000001B43C7D0000-memory.dmp

Filesize
64KB

Download
memory/1548-169-0x000001B420A40000-0x000001B420AE3000-memory.dmp

Filesize
652KB

Download
memory/1548-202-0x000001B43C7C0000-0x000001B43C7D0000-memory.dmp

Filesize
64KB

Download
memory/1548-196-0x000001B43C7C0000-0x000001B43C7D0000-memory.dmp

Filesize
64KB

Download
memory/1548-172-0x000001B420A40000-0x000001B420AE3000-memory.dmp

Filesize
652KB

Download
memory/1548-173-0x000001B422550000-0x000001B422553000-memory.dmp

Filesize
12KB

Download
memory/1548-174-0x000001B422560000-0x000001B422565000-memory.dmp

Filesize
20KB

Download
memory/1548-205-0x000001B43C7D0000-0x000001B43C9EC000-memory.dmp

Filesize
2.1MB

Download
memory/1548-176-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4308-149-0x000001DAA4DD0000-0x000001DAA4E73000-memory.dmp

Filesize
652KB

Download
memory/4308-194-0x000001DAC0A80000-0x000001DAC0C9C000-memory.dmp

Filesize
2.1MB

Download
memory/4308-195-0x000001DAA4DD0000-0x000001DAA4E73000-memory.dmp

Filesize
652KB

Download
memory/4308-171-0x000001DAC0870000-0x000001DAC0880000-memory.dmp

Filesize
64KB

Download
memory/4308-164-0x000001DAC06E0000-0x000001DAC0702000-memory.dmp

Filesize
136KB

Download
memory/4308-155-0x00007FFE78E70000-0x00007FFE78E80000-memory.dmp

Filesize
64KB

Download
memory/4308-154-0x000001DAA4DD0000-0x000001DAA4E73000-memory.dmp

Filesize
652KB

Download
memory/4308-140-0x000001DAA4DD0000-0x000001DAA4E73000-memory.dmp

Filesize
652KB

Download
memory/4940-152-0x0000000000400000-0x00000000007B2000-memory.dmp

Filesize
3.7MB

Download
memory/4940-136-0x0000000000400000-0x00000000007B2000-memory.dmp

Filesize
3.7MB

Download
memory/4940-137-0x00007FFE78E70000-0x00007FFE78E80000-memory.dmp

Filesize
64KB

Download