4363251abcc9b4b91f21d241977e260b47afb81b8c8e83b5b1031e001774ba1e

Analysis

max time kernel
138s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363251abcc9b4b91f21d241977e260b47afb81b8c8e83b5b1031e001774ba1e.exe
Size

78KB
MD5

28cb621e871f8edbfdb36ce0728db4ca
SHA1

0bcd09cbf2d3a55857e64738e9a368895f9f95ea
SHA256

4363251abcc9b4b91f21d241977e260b47afb81b8c8e83b5b1031e001774ba1e
SHA512

ba87d648118fed4ba0a0fe63ec9ae35b7ce138feaded5285f3420276f7aeb22aa193b381dd5d72bcb4105e056b94f91f804ab2630010249eb40276317f567fbf
SSDEEP

1536:nR8jgVoGs8pQjci3Qi6mDfq+TKsySfizW7KsdN36M/w6YZ8:SjasFgi3pySay7KS/w58

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	4363251abcc9b4b91f21d241977e260b47afb81b8c8e83b5b1031e001774ba1e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	4363251abcc9b4b91f21d241977e260b47afb81b8c8e83b5b1031e001774ba1e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4752	5100	4363251abcc9b4b91f21d241977e260b47afb81b8c8e83b5b1031e001774ba1e.exe	81
PID 5100 wrote to memory of 4752	5100	4363251abcc9b4b91f21d241977e260b47afb81b8c8e83b5b1031e001774ba1e.exe	81
PID 5100 wrote to memory of 4752	5100	4363251abcc9b4b91f21d241977e260b47afb81b8c8e83b5b1031e001774ba1e.exe	81

C:\Users\Admin\AppData\Local\Temp\4363251abcc9b4b91f21d241977e260b47afb81b8c8e83b5b1031e001774ba1e.exe
"C:\Users\Admin\AppData\Local\Temp\4363251abcc9b4b91f21d241977e260b47afb81b8c8e83b5b1031e001774ba1e.exe"
1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Hrf..bat" > nul 2> nul
  2⤵
  PID:4752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hrf..bat

Filesize
274B

MD5
49873ad2a12819ef7d76cd6bdddd827a

SHA1
dee240d646686b3d5b71d0a9cf04ac8e79c93b1b

SHA256
02f62f5383f37bced93b794ccd1aadf962ed4a2b5013013b487cdf7e2f294be8

SHA512
b21472aa3a2450b9334163c5c63c17e6a1935c6753de9dd11c8ca643404406626ed35f3dbf68b99fc48f59733a6ec8dd813c8a2171e05d995002e5f51a8b6a9d

Download Submit
memory/5100-133-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5100-134-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5100-136-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads