c624cb7576bd5b2f9e43c254e2c56e34fccd2145f345e0d472da5cc0605655c1

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74b64a82f447487a3e86c545ea45d623.exe
Size

1.8MB
MD5

74b64a82f447487a3e86c545ea45d623
SHA1

0223379f6328524053497962a74f1f64d678dda4
SHA256

c624cb7576bd5b2f9e43c254e2c56e34fccd2145f345e0d472da5cc0605655c1
SHA512

4d0013aa96101118fb8b4777318bce08db0a83ab5d1d70fac4f8233ae2689a09802ba37eccacb921cbeba6b08aaa48c627362d8545b19ebfbc89ec8a27f05041
SSDEEP

24576:AI3VYIiC96Q35g3Z6hEYBOKKqw7gLS8wl2XIYToxEpYWX4+33IQk3:PmIfQf0L1MsToxyrIN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	74b64a82f447487a3e86c545ea45d623.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	74b64a82f447487a3e86c545ea45d623.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2480	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4132	74b64a82f447487a3e86c545ea45d623.exe
4132	74b64a82f447487a3e86c545ea45d623.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4132	74b64a82f447487a3e86c545ea45d623.exe
4132	74b64a82f447487a3e86c545ea45d623.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 2480	4132	74b64a82f447487a3e86c545ea45d623.exe	93
PID 4132 wrote to memory of 2480	4132	74b64a82f447487a3e86c545ea45d623.exe	93
PID 4132 wrote to memory of 2480	4132	74b64a82f447487a3e86c545ea45d623.exe	93

C:\Users\Admin\AppData\Local\Temp\74b64a82f447487a3e86c545ea45d623.exe
"C:\Users\Admin\AppData\Local\Temp\74b64a82f447487a3e86c545ea45d623.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cpuz_driver_4132.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cpuz_driver_4132.log

Filesize
1KB

MD5
d12d6708dd29eec5817425f2543ad5ff

SHA1
610c84e9286e50d881a726004c4a7a47638bb3d6

SHA256
569218c1f5294306f9bdb903d0366803529c0ac1a8687b56ef242c1ac8777c1e

SHA512
7395c4c55666810d67ca5a077f1b0702dab2a4964a3ea1c7f15e66fddcfe6798afc4f5a3f7e432f87d7a10c3b6103810ba0b4d5ddbddfa6597c113caf0583683

Download Submit
memory/4132-0-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/4132-31-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download