8c6c62bda1ed74b462b518cd4481b6965aa88780d5911aa2088c1f131f051264

Analysis

max time kernel
156s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c6c62bda1ed74b462b518cd4481b6965aa88780d5911aa2088c1f131f051264.exe
Size

196KB
MD5

6bc3dcbc58d4c7b2f66045d95060f8c0
SHA1

04b360ee724b88b80e57c66f923ed65f21806be3
SHA256

8c6c62bda1ed74b462b518cd4481b6965aa88780d5911aa2088c1f131f051264
SHA512

dfc773266cbc3fe12ffabc0cb0d7036f8accccca4ef4bcdf5909c4dcd01d536448433dd76ee9888f4f686d5c5191665dbd3fee9a0a895043c735e622fc2d7b7a
SSDEEP

3072:aM65zTN7RH9Avf4Z53fpp0dL5qxpubZyejITv9fXFg1:1mTNJ0fC53Bp0dLiobP+v9fVa

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	8c6c62bda1ed74b462b518cd4481b6965aa88780d5911aa2088c1f131f051264.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3484	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 4996	4540	8c6c62bda1ed74b462b518cd4481b6965aa88780d5911aa2088c1f131f051264.exe	83
PID 4540 wrote to memory of 4996	4540	8c6c62bda1ed74b462b518cd4481b6965aa88780d5911aa2088c1f131f051264.exe	83
PID 4540 wrote to memory of 4996	4540	8c6c62bda1ed74b462b518cd4481b6965aa88780d5911aa2088c1f131f051264.exe	83
PID 4996 wrote to memory of 3484	4996	cmd.exe	87
PID 4996 wrote to memory of 3484	4996	cmd.exe	87
PID 4996 wrote to memory of 3484	4996	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\8c6c62bda1ed74b462b518cd4481b6965aa88780d5911aa2088c1f131f051264.exe
"C:\Users\Admin\AppData\Local\Temp\8c6c62bda1ed74b462b518cd4481b6965aa88780d5911aa2088c1f131f051264.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F57C.tmp.bat" >> NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:3484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F57C.tmp.bat

Filesize
130B

MD5
ec87cceeeed3b94cfe3da392b2970e8b

SHA1
2becc7d8d50a59bf03298001262b156e8ad396d3

SHA256
7985f1ee99bb2a08f08bf95d6d6c99dec3c918f2694e19ae28b504841a001486

SHA512
a092949eec35e8abba034de7881a5940b8f301ef34a3a9523dba14d6a0e30fa7659b89a599f6803536077210466e42fa37cac535a710aaab152321390709558a

Download Submit