b9baef87ad23fba1d879d314be52bde59796c8a722a6a92735773a38e7d0dedd

Analysis

max time kernel
108s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2023 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CB.exe
Size

5.2MB
MD5

637700ea7452057be2367263a4cb43fd
SHA1

3ccc4d326211394aef8982ad13bcb5d118633ab8
SHA256

b9baef87ad23fba1d879d314be52bde59796c8a722a6a92735773a38e7d0dedd
SHA512

a5a03a76739c468c1010c2f45c1e11af85d9958ef6d5d2e5b6e25962ff893969d99d2bea5b084c02d11aed768adc850abbd58c1039a3ea6a30a478b13ce98faa
SSDEEP

98304:RYTvBcy/28tGbdAabkwouH4eJScfTpj8go4u7jJIWMsNJo/e:ScyO8WdAu5ouYeJtqgLiJIhs/o

Score

7^/10

vmprotect

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	CB.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1752-133-0x00000000003C0000-0x0000000000CA2000-memory.dmp	vmprotect
behavioral1/memory/1752-135-0x00000000003C0000-0x0000000000CA2000-memory.dmp	vmprotect
behavioral1/memory/1752-137-0x00000000003C0000-0x0000000000CA2000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3324	notepad.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 3324	1752	CB.exe	86
PID 1752 wrote to memory of 3324	1752	CB.exe	86
PID 1752 wrote to memory of 3324	1752	CB.exe	86

C:\Users\Admin\AppData\Local\Temp\CB.exe
"C:\Users\Admin\AppData\Local\Temp\CB.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\hwid.ini
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\hwid.ini

Filesize
44B

MD5
cd19283d784e20ebb45bc9c37984f2dc

SHA1
f42176180bc56411e1ec2824bf71d04f82044cf1

SHA256
d72bbda98e3c604ba08da7862376f43032bb9d99c80cdbc62eed4f647e349e9c

SHA512
44ac07371e674a96141b48ed4ec1128daadcc37f58162ea2167dbaa73c8ce16fccac292e455ddd24f573306f31f62c2b5aaeb0a80a66e3317446db25a2ceed3b

Download Submit
memory/1752-133-0x00000000003C0000-0x0000000000CA2000-memory.dmp

Filesize
8.9MB

Download
memory/1752-135-0x00000000003C0000-0x0000000000CA2000-memory.dmp

Filesize
8.9MB

Download
memory/1752-137-0x00000000003C0000-0x0000000000CA2000-memory.dmp

Filesize
8.9MB

Download