c623c6afc2a4937318dfdf222d15eae1d4efc1d4d27902b76177f5a8026000c5

Analysis

max time kernel
85s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c623c6afc2a4937318dfdf222d15eae1d4efc1d4d27902b76177f5a8026000c5.exe
Size

73KB
MD5

7d05991430cedf2c24d904ce254cdda1
SHA1

3057c622d46d3fadaa901c84d78d3c989a1ee45b
SHA256

c623c6afc2a4937318dfdf222d15eae1d4efc1d4d27902b76177f5a8026000c5
SHA512

d874cd0d5250699078330e34342d3bfb6cb1ba77ec26cf53c7d49527629b0cd03959d19d9f053cd28d5547897b5137c9e6e736de112fffd58b917022b0a3b8a1
SSDEEP

1536:ePR/tH5CdwfwZgRG3sV7llkrvS4TmQfYMz/+nVRcqlW:ePR/z1YZgRGIlkrFBfYMz/+lW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c623c6afc2a4937318dfdf222d15eae1d4efc1d4d27902b76177f5a8026000c5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 4840	2040	c623c6afc2a4937318dfdf222d15eae1d4efc1d4d27902b76177f5a8026000c5.exe	83
PID 2040 wrote to memory of 4840	2040	c623c6afc2a4937318dfdf222d15eae1d4efc1d4d27902b76177f5a8026000c5.exe	83
PID 2040 wrote to memory of 4840	2040	c623c6afc2a4937318dfdf222d15eae1d4efc1d4d27902b76177f5a8026000c5.exe	83

C:\Users\Admin\AppData\Local\Temp\c623c6afc2a4937318dfdf222d15eae1d4efc1d4d27902b76177f5a8026000c5.exe
"C:\Users\Admin\AppData\Local\Temp\c623c6afc2a4937318dfdf222d15eae1d4efc1d4d27902b76177f5a8026000c5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Uxf..bat" > nul 2> nul
  2⤵
  PID:4840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Uxf..bat

Filesize
274B

MD5
ae18c0e81ea90a7d27b73933aaab5b6c

SHA1
f032b46847a5b8ac13eefe2c210aed40a00cec10

SHA256
7ea79c86d736d2c4186eee344ba1994ee25f1b654749314020cb703f7661fde0

SHA512
5e2802bbc6c8325b88198ad1b9cd9dc406d47c2f551c6078d21240343ce271c0306b292e2b35baa9ec49b1f56d7385f9f985036f63b6df2ee0bbf1e9d2a4d9c9

Download Submit
memory/2040-132-0x0000000002160000-0x000000000217A000-memory.dmp

Filesize
104KB

Download
memory/2040-133-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2040-135-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download