47d53a6d231fb86dcb89dd2f83560654cc427d495e9ba72413c9033683c3cdf9

Analysis

max time kernel
65s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

infected (2)/1/Application.exe
Size

566KB
MD5

d39006b5f48fb225c61b75414c712a58
SHA1

7eb5c3dda79df5a2e958ba34e3d43c19b4bb7b4b
SHA256

c936f1598721a9a92d7f31c6c13b55013b8a2a344e3df4156e5b033006336544
SHA512

e91e47d6c11878a5a92cd6afb56b09a34c273784d00482ffe7bfbdf516b6e072083290cf5b27554d5614b13e6a8a9bfa5dce5cc6ce2f91bc3e5a98d326d27011
SSDEEP

12288:4SL9St9NTTTQnGBxUAh8qVoxZBlgNuyfOuZzUbA5Od1Dbp6C2H:dLEt9NTnQcxVofAEIYkybp12H

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Application.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	Application.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Application.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Application.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Application.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Application.exe

description	pid	process	target process
PID 4616 wrote to memory of 1472	4616	Application.exe	XLGameUpdate.exe
PID 4616 wrote to memory of 1472	4616	Application.exe	XLGameUpdate.exe
PID 4616 wrote to memory of 1472	4616	Application.exe	XLGameUpdate.exe

C:\Users\Admin\AppData\Local\Temp\infected (2)\1\Application.exe
"C:\Users\Admin\AppData\Local\Temp\infected (2)\1\Application.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:4616

C:\Users\Admin\AppData\Local\Temp\infected (2)\1\XLGameUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\infected (2)\1\XLGameUpdate.exe"
2⤵
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4616-133-0x000000006D0F0000-0x000000006D100000-memory.dmp

Filesize
64KB

Download