Analysis
-
max time kernel
97s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2023 19:45
Static task
static1
Behavioral task
behavioral1
Sample
VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe
Resource
win10v2004-20230220-en
General
-
Target
VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe
-
Size
10KB
-
MD5
52adb8644330dcae514aefd34c017f32
-
SHA1
9583bd3b7577258189b966871a08a6a36d4a00eb
-
SHA256
d1e2dbb528852b1ba8b60ee65e0b8e68f6d586a25d097a9a18441e7113ea14be
-
SHA512
30be31902975b53cbafe8dd669bae89097a513a9be2dead31b9320d26556cefc9da6a034660cb8d0281e6a167c90b76c1c37d9a1f859252eb60123f464a34b89
-
SSDEEP
192:TL0AUNdaLixyaupSiP/VunlYJLLLTuCadvLvLvLvLvLvLvLvLvLvgQfP5cq7av:TL0AmdaLikV3hPLTuCadvLvLvLvLvLvy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
VIRUS USE ON VIRTUAL MACHINE ONLY!!.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
VIRUS USE ON VIRTUAL MACHINE ONLY!!.execmd.exenet.exedescription pid process target process PID 4504 wrote to memory of 4252 4504 VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe cmd.exe PID 4504 wrote to memory of 4252 4504 VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe cmd.exe PID 4252 wrote to memory of 1496 4252 cmd.exe net.exe PID 4252 wrote to memory of 1496 4252 cmd.exe net.exe PID 1496 wrote to memory of 3200 1496 net.exe net1.exe PID 1496 wrote to memory of 3200 1496 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe"C:\Users\Admin\AppData\Local\Temp\VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\system32\net.exenet user Admin *3⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Admin *4⤵PID:3200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cmd.batFilesize
1KB
MD59f421a9cda41ae45c58c938b1c193c90
SHA1e490ca3bcbf851bb2c74a811830996335b57b995
SHA2566e81c22ca610fe5a6cf087fe8d1ecabb48d53e101d9f76d79cfb71a7251e206d
SHA5121f7cbddfebe906aa310ff8f8bb5a7a02e7980f40b6d741b851e2a47b67bfbf657c7773085562bec6c2d592a79febe6ff649987fafb7fd65b4c0bb576e0b6abae
-
memory/4504-133-0x0000000000B10000-0x0000000000B18000-memory.dmpFilesize
32KB