8f161c203384b95bc5b20e122a9c1c68

General
Target

8f161c203384b95bc5b20e122a9c1c68.exe

Filesize

323KB

Completed

20-01-2022 20:02

Score
7/10
MD5

8f161c203384b95bc5b20e122a9c1c68

SHA1

c72b4a03fef8c75ff0aab7bd97722249c9334ab0

SHA256

4ea881ce90cbf4c9f6f26b940e062bbd147531c6754390f7e61784d892b54668

Malware Config
Signatures 4

Filter: none

Discovery
  • Checks computer location settings
    8f161c203384b95bc5b20e122a9c1c68.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation8f161c203384b95bc5b20e122a9c1c68.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    8f161c203384b95bc5b20e122a9c1c68.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege8168f161c203384b95bc5b20e122a9c1c68.exe
  • Suspicious use of WriteProcessMemory
    8f161c203384b95bc5b20e122a9c1c68.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 816 wrote to memory of 23848168f161c203384b95bc5b20e122a9c1c68.exepowershell.exe
    PID 816 wrote to memory of 23848168f161c203384b95bc5b20e122a9c1c68.exepowershell.exe
    PID 816 wrote to memory of 23848168f161c203384b95bc5b20e122a9c1c68.exepowershell.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\8f161c203384b95bc5b20e122a9c1c68.exe
    "C:\Users\Admin\AppData\Local\Temp\8f161c203384b95bc5b20e122a9c1c68.exe"
    Checks computer location settings
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABpAG4AZwAgAHkAYQBoAG8AbwAuAGMAbwBtADsAIABwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwA=
      PID:2384
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/816-130-0x0000000000340000-0x0000000000398000-memory.dmp

                        • memory/816-131-0x00000000050E0000-0x0000000005684000-memory.dmp