02ef4243c21ba64d3622b0cdba21a598ca12da3b5fe5d5ba0e3871471e1cdcfe

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02ef4243c21ba64d3622b0cdba21a598ca12da3b5fe5d5ba0e3871471e1cdcfe.exe
Size

64KB
MD5

a420f9ca044c493919b4054c6ffdc870
SHA1

ed39b918f4f349ec5c65d9ab8c42261fff8627e6
SHA256

02ef4243c21ba64d3622b0cdba21a598ca12da3b5fe5d5ba0e3871471e1cdcfe
SHA512

a32818f4d7dedbfb2c68e4560e77f096ccc9fd8b4bc4e6d4151f41c770110d3095ffb5cfff3181410f7a5d01baf931e0bddfde00a4a98dbcc1f1bb5b4333d9f3
SSDEEP

1536:xET64WKch3dQzOwtwSI3yHBUJu5OXIvzpjIp/L:xq64Wx3dmqSSyHBknGzpjA/L

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	02ef4243c21ba64d3622b0cdba21a598ca12da3b5fe5d5ba0e3871471e1cdcfe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 4056	2072	02ef4243c21ba64d3622b0cdba21a598ca12da3b5fe5d5ba0e3871471e1cdcfe.exe	81
PID 2072 wrote to memory of 4056	2072	02ef4243c21ba64d3622b0cdba21a598ca12da3b5fe5d5ba0e3871471e1cdcfe.exe	81
PID 2072 wrote to memory of 4056	2072	02ef4243c21ba64d3622b0cdba21a598ca12da3b5fe5d5ba0e3871471e1cdcfe.exe	81

C:\Users\Admin\AppData\Local\Temp\02ef4243c21ba64d3622b0cdba21a598ca12da3b5fe5d5ba0e3871471e1cdcfe.exe
"C:\Users\Admin\AppData\Local\Temp\02ef4243c21ba64d3622b0cdba21a598ca12da3b5fe5d5ba0e3871471e1cdcfe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Nsb..bat" > nul 2> nul
  2⤵
  PID:4056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nsb..bat

Filesize
274B

MD5
13b151243eedd16a881a83a56552b15d

SHA1
447e9251f9ccf463b78bb928836591c1c9413675

SHA256
9198eb5528920e83769dda2b502cbebcadb7d3aa3757f757571d7a13d1951aac

SHA512
7ca0afca46548bbc78159d023fdd4c6d2166e9f819c6b745e3a400d9126abef3ef867d306fdc3649e28ea626895cc9ccac0d914ecd115c04ece1d40aa2ff8c41

Download Submit
memory/2072-132-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2072-133-0x00000000021E0000-0x00000000021F8000-memory.dmp

Filesize
96KB

Download
memory/2072-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2072-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download