06429eae76265388efa2e75096af8ed944a094ff8edcdcbed231a3a12cb5f7ee

Analysis

max time kernel
90s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
11-07-2022 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669-unpack.exe
Size

934KB
MD5

9fb987b3f3c05b245fe4d9b867296f3f
SHA1

85f479e1198ca53cb34a246ebe0f5843d94c36f2
SHA256

06429eae76265388efa2e75096af8ed944a094ff8edcdcbed231a3a12cb5f7ee
SHA512

73da4822024fb48d2161328f4e0dbf839d94be37b778a26f32f44dc1318cb4afb27b58e5063d9d51714bcf5f3aae92361567be4eed43aee54fd5ed9697632bea

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669-unpack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2124	4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669-unpack.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2124	4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669-unpack.exe
Token: SeCreatePagefilePrivilege	2124	4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669-unpack.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 4940	2124	4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669-unpack.exe	84
PID 2124 wrote to memory of 4940	2124	4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669-unpack.exe	84
PID 2124 wrote to memory of 4940	2124	4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669-unpack.exe	84

C:\Users\Admin\AppData\Local\Temp\4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669-unpack.exe
"C:\Users\Admin\AppData\Local\Temp\4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669-unpack.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSK8jIwY5ywMns6S.bat" "
  2⤵
  PID:4940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CSK8jIwY5ywMns6S.bat

Filesize
204B

MD5
bd3cd1663b78d93695041945a826e787

SHA1
0e23b1a8285fd6d63cc33327bfaa196c09b0d647

SHA256
79777e6f78754f783664f6808cc0f5b23933b2747389767def9b65e44715f09b

SHA512
3ba3800ce562f65a83cd78fc40e08f1f29b54d80bc6dbaa94cb58e59064b5285ad9dacd02e938374b7ff6d23ab9cecce80c06f30401aedaf756c7d538b69b8bf

Download Submit