84ce87bc40ac5fe67509431e35158fa5cae9564bb1cc52da7700b7a799f26536

Analysis

max time kernel
97s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 16:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

84ce87bc40ac5fe67509431e35158fa5cae9564bb1cc52da7700b7a799f26536.exe
Size

87KB
MD5

0094693f1cb7c104d08549d6ea90787a
SHA1

f50d193edadf040591d53d728399e119dcf82107
SHA256

84ce87bc40ac5fe67509431e35158fa5cae9564bb1cc52da7700b7a799f26536
SHA512

6ccd1e51a53800a046d706f08c4b1b08a9dc419f8d44134cf2c01737bdfaf701e1102888eb96e7ad7caa545050422dd48323a432de76c79e959d1155c296daa1
SSDEEP

1536:bi9H8b0AYYVSVZVLZphKOcipEyoF7G1DYXYHEw2aAqaqRCimpXoT8l73Qa2BAl3O:nKYCr7bp3gSBl7A3qRCi+Xo67gZA0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	84ce87bc40ac5fe67509431e35158fa5cae9564bb1cc52da7700b7a799f26536.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 3860	2416	84ce87bc40ac5fe67509431e35158fa5cae9564bb1cc52da7700b7a799f26536.exe	84
PID 2416 wrote to memory of 3860	2416	84ce87bc40ac5fe67509431e35158fa5cae9564bb1cc52da7700b7a799f26536.exe	84
PID 2416 wrote to memory of 3860	2416	84ce87bc40ac5fe67509431e35158fa5cae9564bb1cc52da7700b7a799f26536.exe	84

C:\Users\Admin\AppData\Local\Temp\84ce87bc40ac5fe67509431e35158fa5cae9564bb1cc52da7700b7a799f26536.exe
"C:\Users\Admin\AppData\Local\Temp\84ce87bc40ac5fe67509431e35158fa5cae9564bb1cc52da7700b7a799f26536.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Qmj..bat" > nul 2> nul
  2⤵
  PID:3860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Qmj..bat

Filesize
274B

MD5
811bc1f683052fe5a55ed80da607fc0e

SHA1
66944652a1a948f67c38ea9dfe1a7fcfc7b88d6d

SHA256
b53861fc64659b47c1fbd7371ec91d14e42d85277234366dc628a962b0b0b83b

SHA512
54042070dbc976ea639e34455766193f4779ca744bdcd1d661a6e2b20f0a68d3528547a57a954bd70d7faa06f4aaec0fa05bfdc01fd0cc0fae19eca47c92a7d3

Download Submit
memory/2416-132-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/2416-133-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2416-135-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download