Analysis
-
max time kernel
130s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 22:17
Static task
static1
Behavioral task
behavioral1
Sample
e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exe
Resource
win10v2004-20220414-en
General
-
Target
e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exe
-
Size
365KB
-
MD5
def2219991114fbac93aca787579946c
-
SHA1
e2c877782f16b786db3d569895a23fe9920e2ad4
-
SHA256
e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d
-
SHA512
1f5252c63ed6959b96fcc10863dee2f39ef949f2d18905f821fb429d5e471345b7564bd0bccdee22eeefdcced3a883bd0b5bc9e29bbabb2442a17ebdd4793109
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exepid process 4848 e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exedescription pid process Token: SeShutdownPrivilege 4848 e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exe Token: SeCreatePagefilePrivilege 4848 e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exedescription pid process target process PID 4848 wrote to memory of 1760 4848 e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exe cmd.exe PID 4848 wrote to memory of 1760 4848 e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exe cmd.exe PID 4848 wrote to memory of 1760 4848 e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exe"C:\Users\Admin\AppData\Local\Temp\e2b0c5d95f9948b45b28b909ec716fe8df305d2b63d6b8e433aee3279929b32d.exe"1⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaLiMOvNOdBwMEiu.bat" "2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RaLiMOvNOdBwMEiu.batFilesize
204B
MD53d4f97b50d6621b401fe9fa145165f3f
SHA10a670665466f9c87f0b48f546b4e66b2c1e36847
SHA256799527350343e613346df61e38606f027703eb9052840a5804a5465fc09b3868
SHA51208b912447e93b97cc3e390b3c677a553ade6ceaa8fb3461378d25a33ea0d225ddd3eb05f6e3db3b1ff138289856458548f9e4919afc18a66c6eaa87d21e55a60
-
memory/1760-130-0x0000000000000000-mapping.dmp