Analysis
-
max time kernel
65s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2023 16:51
Static task
static1
Behavioral task
behavioral1
Sample
infected (2)/1/Application.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
infected (2)/1/Application.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
infected (2)/1/XLGameUpdate.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
infected (2)/1/XLGameUpdate.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
infected (2)/2/Console.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
infected (2)/2/Console.exe
Resource
win10v2004-20230220-en
General
-
Target
infected (2)/1/Application.exe
-
Size
566KB
-
MD5
d39006b5f48fb225c61b75414c712a58
-
SHA1
7eb5c3dda79df5a2e958ba34e3d43c19b4bb7b4b
-
SHA256
c936f1598721a9a92d7f31c6c13b55013b8a2a344e3df4156e5b033006336544
-
SHA512
e91e47d6c11878a5a92cd6afb56b09a34c273784d00482ffe7bfbdf516b6e072083290cf5b27554d5614b13e6a8a9bfa5dce5cc6ce2f91bc3e5a98d326d27011
-
SSDEEP
12288:4SL9St9NTTTQnGBxUAh8qVoxZBlgNuyfOuZzUbA5Od1Dbp6C2H:dLEt9NTnQcxVofAEIYkybp12H
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Application.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation Application.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Application.exedescription ioc process File opened for modification \??\PhysicalDrive0 Application.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Application.exedescription pid process target process PID 4616 wrote to memory of 1472 4616 Application.exe XLGameUpdate.exe PID 4616 wrote to memory of 1472 4616 Application.exe XLGameUpdate.exe PID 4616 wrote to memory of 1472 4616 Application.exe XLGameUpdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\infected (2)\1\Application.exe"C:\Users\Admin\AppData\Local\Temp\infected (2)\1\Application.exe"1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\infected (2)\1\XLGameUpdate.exe"C:\Users\Admin\AppData\Local\Temp\infected (2)\1\XLGameUpdate.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4616-133-0x000000006D0F0000-0x000000006D100000-memory.dmpFilesize
64KB