4c1c08011bc9f67f59aeb0ee95e8675d39d90b240341df1441bfdac48c0f8d8a

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c1c08011bc9f67f59aeb0ee95e8675d39d90b240341df1441bfdac48c0f8d8a.exe
Size

66KB
MD5

2e8458beadb18a23fdda0d72efbe80e1
SHA1

cd307dcd59dbb112317f5aa04e46d96fe984d5fe
SHA256

4c1c08011bc9f67f59aeb0ee95e8675d39d90b240341df1441bfdac48c0f8d8a
SHA512

8cd06fcaf8fc7f340cfe7a431a0ba7ccd7e538b74547bad1738a03d59c3ed2a2a9a01519392f76c31f5535469d69c5c7cebc501b646c317dd5aa3c47d8904622
SSDEEP

1536:PMPBTxV+1ADAx2p82Ug8KCRO3ZJlb/Lkb3gXC:PMPBgADAs89RGtgcXC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	4c1c08011bc9f67f59aeb0ee95e8675d39d90b240341df1441bfdac48c0f8d8a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 3364	3516	4c1c08011bc9f67f59aeb0ee95e8675d39d90b240341df1441bfdac48c0f8d8a.exe	81
PID 3516 wrote to memory of 3364	3516	4c1c08011bc9f67f59aeb0ee95e8675d39d90b240341df1441bfdac48c0f8d8a.exe	81
PID 3516 wrote to memory of 3364	3516	4c1c08011bc9f67f59aeb0ee95e8675d39d90b240341df1441bfdac48c0f8d8a.exe	81

C:\Users\Admin\AppData\Local\Temp\4c1c08011bc9f67f59aeb0ee95e8675d39d90b240341df1441bfdac48c0f8d8a.exe
"C:\Users\Admin\AppData\Local\Temp\4c1c08011bc9f67f59aeb0ee95e8675d39d90b240341df1441bfdac48c0f8d8a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ldf..bat" > nul 2> nul
  2⤵
  PID:3364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ldf..bat

Filesize
274B

MD5
3fb60d65d69af7f26f19b3d08b7ff764

SHA1
ff2bded026b74d8474f2430b715d49bdafc63684

SHA256
9ebbe778645f6f54ef98303af0dc9bd51476053d1e35353fe7c3869ec576451a

SHA512
55fc9f89c6398d5b818748bf72ff2025a9f7eb534cd479ac8d8a9538f9164ed766e14c3449895af6d9c9b9eff22f4760dcd36e10b8d7e7ce7c40eab3a19bfdfc

Download Submit
memory/3516-135-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3516-136-0x0000000002080000-0x000000000209E000-memory.dmp

Filesize
120KB

Download
memory/3516-137-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3516-138-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3516-140-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download