b76965a211c0e98f490b567c988e158375c5468ec1d8d2120e097919ab9dbdb5

Analysis

max time kernel
92s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b76965a211c0e98f490b567c988e158375c5468ec1d8d2120e097919ab9dbdb5.exe
Size

81KB
MD5

46335c5ec3259978929826ada00c19b0
SHA1

e159171c08c80dacdd1baf1d9047d017054839fe
SHA256

b76965a211c0e98f490b567c988e158375c5468ec1d8d2120e097919ab9dbdb5
SHA512

82cc165a1b8f43f13fa218018d2c9e3d9efe2a599f6366dea616a0d9b6a10ab930421edd5c27019ddf84507d2e5bf4b41fbb7cdd87b249ce1b7e0e1f15c0ea9e
SSDEEP

1536:oq3N1gp8JtPFjwc5bC6PX41arB7Q0lrfR/eK0yZvR58PL5/PcXpqjd8NIs9NO1B0:6pEjhlYK0IvEP5cXpqB8x+B/YJH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	b76965a211c0e98f490b567c988e158375c5468ec1d8d2120e097919ab9dbdb5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 928	1512	b76965a211c0e98f490b567c988e158375c5468ec1d8d2120e097919ab9dbdb5.exe	81
PID 1512 wrote to memory of 928	1512	b76965a211c0e98f490b567c988e158375c5468ec1d8d2120e097919ab9dbdb5.exe	81
PID 1512 wrote to memory of 928	1512	b76965a211c0e98f490b567c988e158375c5468ec1d8d2120e097919ab9dbdb5.exe	81

C:\Users\Admin\AppData\Local\Temp\b76965a211c0e98f490b567c988e158375c5468ec1d8d2120e097919ab9dbdb5.exe
"C:\Users\Admin\AppData\Local\Temp\b76965a211c0e98f490b567c988e158375c5468ec1d8d2120e097919ab9dbdb5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Jkf..bat" > nul 2> nul
  2⤵
  PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jkf..bat

Filesize
274B

MD5
8ee3340b3ba34e74ca280d6e75000044

SHA1
d97c05af104dc0c9dca3fff0c231e08f87cbca62

SHA256
78946501668db9647f4f078625985da3a96a15d2096411fc5a6a547fa1de23b6

SHA512
7bc449380b70ba38b387a6ad128277a603b972665aac11abba354ba9a95d6758b6dad8303e6f05e929d06128e5e8f457de78443e45b4595b534ffe973348245a

Download Submit
memory/1512-132-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1512-133-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1512-134-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1512-136-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download