ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67

Analysis

max time kernel
156s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe
Size

92KB
MD5

6b9a869286f6f4d042ce6b86ad5598f1
SHA1

134e5c4f65b2c41193954b220e207bc8cccc32ba
SHA256

ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67
SHA512

c5980fd73d648071b448c7d1f955271558707aa36a32848ce78daa84b5c187745362787fe194e23fbd06688dedd63dfa09b8597e9e1198e4f102ad484ee01cc9
SSDEEP

768:4mp1D5+8+yyCExggbX4xyhKpDq3yWqimSr4CsDqel30JbP6XTI3WoUUZ+IcnR7S:4CD5ePN4xye0q3tDj8r6XEJTc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4448	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	tasklist.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4304	ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe
4304	ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 3680	4304	ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe	82
PID 4304 wrote to memory of 3680	4304	ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe	82
PID 4304 wrote to memory of 3680	4304	ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe	82
PID 3680 wrote to memory of 4448	3680	cmd.exe	84
PID 3680 wrote to memory of 4448	3680	cmd.exe	84
PID 3680 wrote to memory of 4448	3680	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe
"C:\Users\Admin\AppData\Local\Temp\ebfda79f9d2e26d2087e5f5d9b06690a5c779d48e925f7a279fd8b6151d03f67.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del ebfda79f9d2e26d2087e5f5d9b06690a5c
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3680-135-0x0000000000000000-mapping.dmp

Download
memory/4448-136-0x0000000000000000-mapping.dmp

Download