ee17c806a1c41f64ab9b68bbdab802c06a9da8890afb5cea2f66b544b88eaed9

Analysis

max time kernel
142s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloads/cde34053c215372ba47c1c8fbd6b25a7.exe
Size

586KB
MD5

cde34053c215372ba47c1c8fbd6b25a7
SHA1

6958eea76c1097ef9c205e734c4baf93b0f47e04
SHA256

c243a13a3604d8c29d04b46eebbbd590f1d5b1d39ae5be93f800763a5a592a6e
SHA512

f6e018d9454c206a6b3449d4a6162c59c21cef8a832270b66b6a125e5bd1dca2f1048e0e85b4da594403b9c2218908d42f61d7593aa79f009486b7f927a77f14
SSDEEP

12288:/k5L2FqPvuuuuuuuuuz95QRuLtH/J2IW+xItN7dmqJCt4I3U:/2yQPK3COHEvhVaK/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cde34053c215372ba47c1c8fbd6b25a7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	cde34053c215372ba47c1c8fbd6b25a7.exe

Executes dropped EXE 1 IoCs

Processes:

poso.exe

pid process

2744 poso.exe
Loads dropped DLL 1 IoCs

Processes:

poso.exe

pid process

2744 poso.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2744	poso.exe

pid	process
2744	poso.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cde34053c215372ba47c1c8fbd6b25a7.exe

description	pid	process	target process
PID 2248 wrote to memory of 2744	2248	cde34053c215372ba47c1c8fbd6b25a7.exe	poso.exe
PID 2248 wrote to memory of 2744	2248	cde34053c215372ba47c1c8fbd6b25a7.exe	poso.exe

C:\Users\Admin\AppData\Local\Temp\Downloads\cde34053c215372ba47c1c8fbd6b25a7.exe
"C:\Users\Admin\AppData\Local\Temp\Downloads\cde34053c215372ba47c1c8fbd6b25a7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Public\Libraries\poso.exe
"C:\Users\Public\Libraries\poso.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\Public.avi
Filesize
259KB

MD5
42717fabe6bd5bc3ad0525b4e2f798cb

SHA1
a375801df689de89ccf76d3809d4c0312ae9b6b4

SHA256
208f27df0b90098d7034c5b1525db5955abf56add5a7392f77bc1d1b63fc6044

SHA512
bcd8f51e054d1b5723ceb34e76d6f2c43c470c99eeac6e4be7a2064cf970f1f7d01b639880a4463a1e53d6391d5d6fa3e93f0bb88052eb1cba1867726c256bb5

Download Submit
C:\Users\Public\Libraries\calibre-launcher.dll
Filesize
263KB

MD5
c7ce5c2433a4611b178b9a96fd9fee51

SHA1
2d4a3820be3a714e054249cc08de9262f6015f27

SHA256
7bad55073d046baba4e9a9e1ac4167c096e9577d6e7b2edd3ae79e1ce13e4681

SHA512
7b732c013a9f58547a75f58a8f49de2f454a926b05518e57971e3d8e799994fdc2d481d85deb072fb347f3d318a913fb4a45176e514370c9e2b9ad3b37991d06

Download Submit
C:\Users\Public\Libraries\calibre-launcher.dll
Filesize
263KB

MD5
c7ce5c2433a4611b178b9a96fd9fee51

SHA1
2d4a3820be3a714e054249cc08de9262f6015f27

SHA256
7bad55073d046baba4e9a9e1ac4167c096e9577d6e7b2edd3ae79e1ce13e4681

SHA512
7b732c013a9f58547a75f58a8f49de2f454a926b05518e57971e3d8e799994fdc2d481d85deb072fb347f3d318a913fb4a45176e514370c9e2b9ad3b37991d06

Download Submit
C:\Users\Public\Libraries\poso.exe
Filesize
85KB

MD5
0cefb63147949f535c5a13714609fa81

SHA1
1f3bd5fdb7a4694e9842a59a2ce014bd00268c3b

SHA256
eb0677c279e0ba23d3cdef33a4f8abc2e1018884647908fa8e1a97ed63752803

SHA512
456e4d9e6c56a14ad6cbe1a059b43ac13c26a487bb78492dc33d24d86e388f24b0c8d5f5ffa9aec3f643bbf4efb7da15ed2acd5fb51ea7ea03f25f0a1a9c9138

Download Submit
C:\Users\Public\Libraries\poso.exe
Filesize
85KB

MD5
0cefb63147949f535c5a13714609fa81

SHA1
1f3bd5fdb7a4694e9842a59a2ce014bd00268c3b

SHA256
eb0677c279e0ba23d3cdef33a4f8abc2e1018884647908fa8e1a97ed63752803

SHA512
456e4d9e6c56a14ad6cbe1a059b43ac13c26a487bb78492dc33d24d86e388f24b0c8d5f5ffa9aec3f643bbf4efb7da15ed2acd5fb51ea7ea03f25f0a1a9c9138

Download Submit
memory/2744-150-0x00007FFC77F70000-0x00007FFC78165000-memory.dmp

Filesize
2.0MB

Download
memory/2744-151-0x00007FFC756F0000-0x00007FFC759B9000-memory.dmp

Filesize
2.8MB

Download
memory/2744-152-0x00007FFC77110000-0x00007FFC771CE000-memory.dmp

Filesize
760KB

Download
memory/2744-153-0x00007FFC77BB0000-0x00007FFC77D51000-memory.dmp

Filesize
1.6MB

Download
memory/2744-154-0x000002A68B280000-0x000002A68B2C1000-memory.dmp

Filesize
260KB

Download
memory/2744-156-0x00007FFC35740000-0x00007FFC35750000-memory.dmp

Filesize
64KB

Download
memory/2744-162-0x00007FFC35740000-0x00007FFC35750000-memory.dmp

Filesize
64KB

Download