Analysis
-
max time kernel
94s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 07:03
Static task
static1
Behavioral task
behavioral1
Sample
fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe
Resource
win10v2004-20220414-en
General
-
Target
fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe
-
Size
54KB
-
MD5
0b0be038a905dfbdd3c957664f7567e7
-
SHA1
05c0cf8270dbb2015ccecbeba4b5d54ddcf92d48
-
SHA256
fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db
-
SHA512
cfd01a4175b846c1e0e6324c392eb3100c33009ddb2cffa077f49df902277b9e4744b655182bf8c750961ddc1a3174aa830c5477465633a71c3ef7cfd2ab6963
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Svhost.exepid process 5080 Svhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exedescription pid process target process PID 2344 wrote to memory of 5080 2344 fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe Svhost.exe PID 2344 wrote to memory of 5080 2344 fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe Svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe"C:\Users\Admin\AppData\Local\Temp\fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Svhost.exe"C:\Users\Admin\AppData\Local\Temp\Svhost.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Svhost.exeFilesize
54KB
MD50b0be038a905dfbdd3c957664f7567e7
SHA105c0cf8270dbb2015ccecbeba4b5d54ddcf92d48
SHA256fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db
SHA512cfd01a4175b846c1e0e6324c392eb3100c33009ddb2cffa077f49df902277b9e4744b655182bf8c750961ddc1a3174aa830c5477465633a71c3ef7cfd2ab6963
-
C:\Users\Admin\AppData\Local\Temp\Svhost.exeFilesize
54KB
MD50b0be038a905dfbdd3c957664f7567e7
SHA105c0cf8270dbb2015ccecbeba4b5d54ddcf92d48
SHA256fdc9b22a9a4babb44c95f67de6e09a8e8a5ab0c805141739fa81c88ef99d84db
SHA512cfd01a4175b846c1e0e6324c392eb3100c33009ddb2cffa077f49df902277b9e4744b655182bf8c750961ddc1a3174aa830c5477465633a71c3ef7cfd2ab6963
-
memory/2344-130-0x00000000004B0000-0x00000000004C4000-memory.dmpFilesize
80KB
-
memory/2344-131-0x00007FF922E20000-0x00007FF9238E1000-memory.dmpFilesize
10.8MB
-
memory/2344-132-0x00007FF922E20000-0x00007FF9238E1000-memory.dmpFilesize
10.8MB
-
memory/2344-137-0x00007FF922E20000-0x00007FF9238E1000-memory.dmpFilesize
10.8MB
-
memory/5080-133-0x0000000000000000-mapping.dmp
-
memory/5080-136-0x00007FF922E20000-0x00007FF9238E1000-memory.dmpFilesize
10.8MB