b22664c449441ce81f84ca0d480fb68b131306d4b611046233782d4eb7b81c92

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2023 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b22664c449441ce81f84ca0d480fb68b131306d4b611046233782d4eb7b81c92.exe
Size

1.5MB
MD5

367f094a23882f6568da9a9690fbdda6
SHA1

ded681b3425e3216f2d0c54c735627f556adff9a
SHA256

b22664c449441ce81f84ca0d480fb68b131306d4b611046233782d4eb7b81c92
SHA512

1e5fd6dcff827764555b825aaa540ee1404a51d3f44d92004649bbec24217c5dc344cd7a32affb7da36251aa6834c961c62cbd1b11687a74fb7155f80da9af54
SSDEEP

24576:DubsnafAPycJUICDnJU4NJK7KkVfhQ9oUUsEx8wVGIq3z9Frs1wL1PuRhk0fGfQo:rLLCDJU4eW9AGls1OuFE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	b22664c449441ce81f84ca0d480fb68b131306d4b611046233782d4eb7b81c92.exe

Loads dropped DLL 2 IoCs

pid	Process
3788	rundll32.exe
2116	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 3704	2292	b22664c449441ce81f84ca0d480fb68b131306d4b611046233782d4eb7b81c92.exe	86
PID 2292 wrote to memory of 3704	2292	b22664c449441ce81f84ca0d480fb68b131306d4b611046233782d4eb7b81c92.exe	86
PID 2292 wrote to memory of 3704	2292	b22664c449441ce81f84ca0d480fb68b131306d4b611046233782d4eb7b81c92.exe	86
PID 3704 wrote to memory of 3788	3704	control.exe	87
PID 3704 wrote to memory of 3788	3704	control.exe	87
PID 3704 wrote to memory of 3788	3704	control.exe	87
PID 3788 wrote to memory of 4400	3788	rundll32.exe	95
PID 3788 wrote to memory of 4400	3788	rundll32.exe	95
PID 4400 wrote to memory of 2116	4400	RunDll32.exe	96
PID 4400 wrote to memory of 2116	4400	RunDll32.exe	96
PID 4400 wrote to memory of 2116	4400	RunDll32.exe	96

C:\Users\Admin\AppData\Local\Temp\b22664c449441ce81f84ca0d480fb68b131306d4b611046233782d4eb7b81c92.exe
"C:\Users\Admin\AppData\Local\Temp\b22664c449441ce81f84ca0d480fb68b131306d4b611046233782d4eb7b81c92.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\RXj6.G
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\RXj6.G
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\RXj6.G
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\RXj6.G
        5⤵
        Loads dropped DLL
        
        PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RXj6.G

Filesize
1.2MB

MD5
8a874682f138fc28918825f79d066863

SHA1
3942365ca737c38526acf54ad5e9916868ac574a

SHA256
2f784741be596492d5e56521b94ca98a36d507089cf2f8080e077f5210e14042

SHA512
b4e3fbc984b182c56cad8dc8082cf6bc9cc750973efa923e02a1e8cd5b3fa7b127f0c83d5e4ab0004d1599555596810cee6b6c8a9d7f028c6aeec1248114b78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rxj6.g

Filesize
1.2MB

MD5
8a874682f138fc28918825f79d066863

SHA1
3942365ca737c38526acf54ad5e9916868ac574a

SHA256
2f784741be596492d5e56521b94ca98a36d507089cf2f8080e077f5210e14042

SHA512
b4e3fbc984b182c56cad8dc8082cf6bc9cc750973efa923e02a1e8cd5b3fa7b127f0c83d5e4ab0004d1599555596810cee6b6c8a9d7f028c6aeec1248114b78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rxj6.g

Filesize
1.2MB

MD5
8a874682f138fc28918825f79d066863

SHA1
3942365ca737c38526acf54ad5e9916868ac574a

SHA256
2f784741be596492d5e56521b94ca98a36d507089cf2f8080e077f5210e14042

SHA512
b4e3fbc984b182c56cad8dc8082cf6bc9cc750973efa923e02a1e8cd5b3fa7b127f0c83d5e4ab0004d1599555596810cee6b6c8a9d7f028c6aeec1248114b78c

Download Submit
memory/2116-160-0x0000000002D50000-0x0000000002E2F000-memory.dmp

Filesize
892KB

Download
memory/2116-159-0x0000000002D50000-0x0000000002E2F000-memory.dmp

Filesize
892KB

Download
memory/2116-156-0x0000000002D50000-0x0000000002E2F000-memory.dmp

Filesize
892KB

Download
memory/2116-155-0x0000000002C50000-0x0000000002D4A000-memory.dmp

Filesize
1000KB

Download
memory/2116-152-0x0000000000CF0000-0x0000000000CF6000-memory.dmp

Filesize
24KB

Download
memory/3788-141-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3788-149-0x0000000002C30000-0x0000000002D0F000-memory.dmp

Filesize
892KB

Download
memory/3788-148-0x0000000002C30000-0x0000000002D0F000-memory.dmp

Filesize
892KB

Download
memory/3788-145-0x0000000002C30000-0x0000000002D0F000-memory.dmp

Filesize
892KB

Download
memory/3788-144-0x0000000002B30000-0x0000000002C2A000-memory.dmp

Filesize
1000KB

Download
memory/3788-143-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3788-140-0x0000000000D20000-0x0000000000D26000-memory.dmp

Filesize
24KB

Download