e2de6a757a132efba2e41b895b7020dbf409ee4848c18255186597406afa51fd

Analysis

max time kernel
124s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2023, 04:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

lLlzNurMIAMtkCl.exe
Size

191KB
MD5

082c70a7f1a63a2df52d4bb36685b2a6
SHA1

fb041b6004ef1b953ef10fcf03bba06507fdf700
SHA256

e2de6a757a132efba2e41b895b7020dbf409ee4848c18255186597406afa51fd
SHA512

2bf6f2aa04d79f8500860ece44cad2788dee3eb0bfe676320331af54fd9996cd5d062c120fa6ec50a7d297ffaf3a1178e86f08e96b678b822134d6b5eaa07e66
SSDEEP

3072:N9mtDqOjU907JTYMjRM6npmDBFdVNSu61U1aEr8R+kXEBGSk8qvv5bQrx:jcNjy2eghSguB0R5XEBG4q35Qr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Control Panel\International\Geo\Nation	lLlzNurMIAMtkCl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000_Classes\Local Settings	lLlzNurMIAMtkCl.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1956	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2764	lLlzNurMIAMtkCl.exe
2764	lLlzNurMIAMtkCl.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 1956	2764	lLlzNurMIAMtkCl.exe	90
PID 2764 wrote to memory of 1956	2764	lLlzNurMIAMtkCl.exe	90
PID 2764 wrote to memory of 1956	2764	lLlzNurMIAMtkCl.exe	90

C:\Users\Admin\AppData\Local\Temp\lLlzNurMIAMtkCl.exe
"C:\Users\Admin\AppData\Local\Temp\lLlzNurMIAMtkCl.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\HWID.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HWID.txt

Filesize
271B

MD5
49a11a6e090da134a73e09077afc1b28

SHA1
31efcc76a261df3b1123aff42f8ed363d4be0320

SHA256
d3fe9321dee25674c4f2fc389661fcefed6507bdc14150dca8697415291cf5b6

SHA512
a919ae1f81129fcb3cc4ddb0e561558b6141b42327ee0bfb34fa706b549c23ff75c855a178ebe065a97bc61308a28107b05f88cf62f047f0228aa9b65adc63f1

Download Submit