00f95f1fa39f7367e0f06914a849b7d7690e151cee62655bbc1898f158afcb24

Analysis

max time kernel
94s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mHmOLEyJBlJCkpm.exe
Size

191KB
MD5

bc7cafd1bd1911564a5108a5ebeb5ced
SHA1

06bd827d928a6e606cec54678f5d22a813225d9a
SHA256

00f95f1fa39f7367e0f06914a849b7d7690e151cee62655bbc1898f158afcb24
SHA512

8be11b3b69337531ebac4cc7c01b9b881e37ad2abc342589b7f9e542eb55ed71080fcd6656e9d594d985120c3cdd4070356b10c63532612881ac40418c8c52e9
SSDEEP

3072:sVIoL0YkBG0fYzRzlstxzH705HkGUtA4EctCHEZIYGTqMWbzU9:sVII5kBGZqxUGt5EHEy5m3zY

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	mHmOLEyJBlJCkpm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mHmOLEyJBlJCkpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	mHmOLEyJBlJCkpm.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
996	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2732	mHmOLEyJBlJCkpm.exe
2732	mHmOLEyJBlJCkpm.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 996	2732	mHmOLEyJBlJCkpm.exe	87
PID 2732 wrote to memory of 996	2732	mHmOLEyJBlJCkpm.exe	87
PID 2732 wrote to memory of 996	2732	mHmOLEyJBlJCkpm.exe	87

C:\Users\Admin\AppData\Local\Temp\mHmOLEyJBlJCkpm.exe
"C:\Users\Admin\AppData\Local\Temp\mHmOLEyJBlJCkpm.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\HWID.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HWID.txt

Filesize
271B

MD5
970ccf948e26316cc93c82d75aae3ba7

SHA1
31f5501507e035f3b910c62ffe2e4c5dbded9cb7

SHA256
58aedff947b5dbd19ab070acf2e0c411a9de0da634f1e931c33b4c133d325d28

SHA512
e1936420d1e28239e386c4de603940d46f5930d6c26358824a951796f0e28777fb1dad73a9a2e1df6aab5a0607c6c3b6ddd773e758cf4e907e3168e0d4b5125f

Download Submit