88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a

Resubmissions

01/03/2024, 13:18

240301-qj37qagc71 7

28/12/2023, 16:27

231228-tygh2sheh8 10

Analysis

max time kernel
93s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2024, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe
Size

1.7MB
MD5

5f1977ff2e710323036df5bf5fd7df2b
SHA1

cf856ca9dfee5a3935d5e7ad192044438ab6c500
SHA256

88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a
SHA512

8cc6808e0285a73ca90f4247982e1ee635f492a54929bad49c55ebe45f3ba45eba80777043085b811e91ceb72fab744af6e9bc93185b7450a44323886efa743a
SSDEEP

49152:2svcOp7uaMh54agPw0Ic02gRotHcBWJz9FNFU:2s0KCHDdg40I9LsFQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe

Executes dropped EXE 1 IoCs

pid	Process
624	windows_encryptor_180870197840.exe

Loads dropped DLL 7 IoCs

pid	Process
624	windows_encryptor_180870197840.exe
624	windows_encryptor_180870197840.exe
624	windows_encryptor_180870197840.exe
624	windows_encryptor_180870197840.exe
624	windows_encryptor_180870197840.exe
624	windows_encryptor_180870197840.exe
624	windows_encryptor_180870197840.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 624	4076	88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe	91
PID 4076 wrote to memory of 624	4076	88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe	91

C:\Users\Admin\AppData\Local\Temp\88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe
"C:\Users\Admin\AppData\Local\Temp\88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\Temp\windows_encryptor_180870197840.exe
  "C:\Users\Admin\AppData\Local\Temp\windows_encryptor_180870197840.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\libffi-8.dll

Filesize
32KB

MD5
c262a0d445f9e205965d67c8371a69f5

SHA1
1debd5d11a0b01033028c7ea987cdc8fc47b8e57

SHA256
e689c781dd0619b02f2a06f9a5648c3246927be14eb3475afde74830545df7f3

SHA512
6463003d821e9146ef891d19f0d67e70053ff5f598a5ff76f0cb9b8afffdc4c546f17d73847d901107898b56be034871db6d9171b22a40059c07cc4b7c939300

Download Submit
C:\Users\Admin\AppData\Local\Temp\libglib-2.0-0.dll

Filesize
1.4MB

MD5
be3a6ad5ea008a9ee637a70c787438c0

SHA1
9779f2855cdb9adce2f0c3d96e966062e1ac2742

SHA256
ffa16dc5e7c788c8269ab4e00b53aba3f8970e89a7f5c25f967e534f6e10e047

SHA512
df9b9a80a6633c7e45dbbc04cb6e8dcd533fac01a6fecf8685cdbe4c283c10277d2e90851575e47e952aa802f4dd803dcd024f06e94e0178d3bd76e5ef4a9bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgobject-2.0-0.dll

Filesize
341KB

MD5
87d4006fb7140faef9f4a38bcf7b098a

SHA1
0cc317b73e6fcebce8884cd0820f0b8f578b702b

SHA256
9a124a0d54771d360155323f5a1d08a9e852dc392a45ffac3a9ba2cb30ad5da3

SHA512
c6d0fe1d6b84e581204f77bc1ab163bec2b6f38aa62460dd665779965f2fb4954ad2eb87ed8e2488bd4cd07246992b4b41fa697f7ab5efb84185c8cb30037fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libiconv-2.dll

Filesize
1.1MB

MD5
263263b8395e0c8f153aae906fad2115

SHA1
b427c166e72d0fe1e2d4c243f245670833678593

SHA256
55de11531dc0e566cb91f26e48d1301a161a4b8b24abed42304d711412368760

SHA512
99339321ebf22515dfb8ac38978e1fccb31ea33370afd55f86f6ef7441e2096cef47c1e23bc059ee47059afb10c0523e4605ccf555843d59077c1218ec444140

Download Submit
C:\Users\Admin\AppData\Local\Temp\libintl-8.dll

Filesize
137KB

MD5
b14f928937e24087a3a4d7b0abc9ac84

SHA1
c8402d666433943a556d27c4ecd9b0a66d390feb

SHA256
56a5148d00c2d9e58415be2d64eca922a58063fe26d9af1c87084aa383c9058e

SHA512
f7bc1886f2355c5ed1ed8799cd159bd1c56207eecc938318447e64e4bf73fc6afe0501803c149140afa4ddb942355835437b25b84900c31c64ca48d765f4a203

Download Submit
C:\Users\Admin\AppData\Local\Temp\libpcre2-8-0.dll

Filesize
383KB

MD5
b4fb65c58608e6ed15e741d0c7b90d4a

SHA1
1776cb143ae59b8926b87c71309f4f1b21d3fb64

SHA256
b9e1acb2ba4c96b9b52bfa5ec25b169e5cb52e688de026c2d964af42e92081e1

SHA512
29cafebc97a5c700f8163bd877563ee3c1b4432f6da9f845f4b91e77badd62c5dbec05fe92d5468987e1c7eb6e4ac56b459ee342e6ec99d66685106fb662e3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows_encryptor_180870197840.exe

Filesize
327KB

MD5
bba9b0e6578c9da54601ea50044b25ed

SHA1
dc4f597dcb3363e0ca0077113715d2502683c12a

SHA256
22f58b94c7e3d02e8c7192783ef8b802ea6396271f8bb8ce68d2fccf1a672baa

SHA512
b2017e022263a39f643c1059ae25ebb90bc479401a929c3f4e23531b7e33e3a7e7f04ab52de8c1fed9ea2702c901f72e27c49bac14489df34f7dd7b6bcf1db29

Download Submit
memory/624-34-0x00007FF701220000-0x00007FF70126F000-memory.dmp

Filesize
316KB

Download
memory/624-35-0x00007FF842630000-0x00007FF84268A000-memory.dmp

Filesize
360KB

Download
memory/624-36-0x00007FF845CC0000-0x00007FF845CD0000-memory.dmp

Filesize
64KB

Download
memory/624-37-0x00007FF832E10000-0x00007FF832F75000-memory.dmp

Filesize
1.4MB

Download
memory/624-39-0x00007FF832CF0000-0x00007FF832E09000-memory.dmp

Filesize
1.1MB

Download
memory/624-38-0x00007FF8429F0000-0x00007FF842A19000-memory.dmp

Filesize
164KB

Download
memory/624-40-0x00007FF838CD0000-0x00007FF838D37000-memory.dmp

Filesize
412KB

Download