d1e2dbb528852b1ba8b60ee65e0b8e68f6d586a25d097a9a18441e7113ea14be

Analysis

max time kernel
97s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe
Size

10KB
MD5

52adb8644330dcae514aefd34c017f32
SHA1

9583bd3b7577258189b966871a08a6a36d4a00eb
SHA256

d1e2dbb528852b1ba8b60ee65e0b8e68f6d586a25d097a9a18441e7113ea14be
SHA512

30be31902975b53cbafe8dd669bae89097a513a9be2dead31b9320d26556cefc9da6a034660cb8d0281e6a167c90b76c1c37d9a1f859252eb60123f464a34b89
SSDEEP

192:TL0AUNdaLixyaupSiP/VunlYJLLLTuCadvLvLvLvLvLvLvLvLvLvgQfP5cq7av:TL0AmdaLikV3hPLTuCadvLvLvLvLvLvy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

VIRUS USE ON VIRTUAL MACHINE ONLY!!.execmd.exenet.exe

description	pid	process	target process
PID 4504 wrote to memory of 4252	4504	VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe	cmd.exe
PID 4504 wrote to memory of 4252	4504	VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe	cmd.exe
PID 4252 wrote to memory of 1496	4252	cmd.exe	net.exe
PID 4252 wrote to memory of 1496	4252	cmd.exe	net.exe
PID 1496 wrote to memory of 3200	1496	net.exe	net1.exe
PID 1496 wrote to memory of 3200	1496	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe
"C:\Users\Admin\AppData\Local\Temp\VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\system32\net.exe
net user Admin *
3⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user Admin *
4⤵
PID:3200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmd.bat
Filesize
1KB

MD5
9f421a9cda41ae45c58c938b1c193c90

SHA1
e490ca3bcbf851bb2c74a811830996335b57b995

SHA256
6e81c22ca610fe5a6cf087fe8d1ecabb48d53e101d9f76d79cfb71a7251e206d

SHA512
1f7cbddfebe906aa310ff8f8bb5a7a02e7980f40b6d741b851e2a47b67bfbf657c7773085562bec6c2d592a79febe6ff649987fafb7fd65b4c0bb576e0b6abae

Download Submit
memory/4504-133-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download