bd0dfde8e40a9ebbad1fae43ee9a99f5fd936f6db7fa4c4f9800df1bdc7eb104

Analysis

max time kernel
115s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd0dfde8e40a9ebbad1fae43ee9a99f5fd936f6db7fa4c4f9800df1bdc7eb104.exe
Size

213KB
MD5

792a46d84a2ac219f4d90c819fc10578
SHA1

dc3cff81ca482b71e1be8870c0e38d98bd4d9710
SHA256

bd0dfde8e40a9ebbad1fae43ee9a99f5fd936f6db7fa4c4f9800df1bdc7eb104
SHA512

37fb632252e93c9419f0eef0e534fe58b169652f9ce1ef0f1f3439aa03c4482cf39caebdd52df74ffcee3f91e0ca9a2a3f071f0c523fa55f53594795409a00fe
SSDEEP

3072:WGf6viAIxc9LNyRulW1fyNi2i9sn4SK0qt94kJ+7fno7DFkMO3jF9G:WGuCxciuW1Ksvf0q907Q7DF43jF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	bd0dfde8e40a9ebbad1fae43ee9a99f5fd936f6db7fa4c4f9800df1bdc7eb104.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 3644	2912	bd0dfde8e40a9ebbad1fae43ee9a99f5fd936f6db7fa4c4f9800df1bdc7eb104.exe	76
PID 2912 wrote to memory of 3644	2912	bd0dfde8e40a9ebbad1fae43ee9a99f5fd936f6db7fa4c4f9800df1bdc7eb104.exe	76
PID 2912 wrote to memory of 3644	2912	bd0dfde8e40a9ebbad1fae43ee9a99f5fd936f6db7fa4c4f9800df1bdc7eb104.exe	76

C:\Users\Admin\AppData\Local\Temp\bd0dfde8e40a9ebbad1fae43ee9a99f5fd936f6db7fa4c4f9800df1bdc7eb104.exe
"C:\Users\Admin\AppData\Local\Temp\bd0dfde8e40a9ebbad1fae43ee9a99f5fd936f6db7fa4c4f9800df1bdc7eb104.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Czz..bat" > nul 2> nul
  2⤵
  PID:3644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Czz..bat

Filesize
274B

MD5
e970aa06d7a6f836279efc3f89ace158

SHA1
51d3a8a1a695e43d5c6d2aa60a2f8a17eb9e5de4

SHA256
15c0ab6792fba29acd6ee7d72d1d18fc4cd4dc01f3920526893a62eff0d74ff2

SHA512
b94a0acde2155a52e3b68a38468262a75c6f1668ea280f45cc09a038dbad5ed0fae8a214d6955446bc5107fdf4c2be9901284f05e2ebe4eae6e5385f05335570

Download Submit
memory/2912-132-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/2912-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2912-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download