e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056

Analysis

max time kernel
163s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe
Size

196KB
MD5

682e2b9d20296f785ddc4d14f36c5890
SHA1

53f416e09a160435952b0e7d555bbbee2761062e
SHA256

e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056
SHA512

4cfb42bd7d352394074fd1d8e637eb945136453165b6307d1332855eac008f7c0cb06e5298afcfc6a9467178103252d0766dc4eccea49f138df4121ba3aee39b
SSDEEP

3072:aM65zTN7RH9Avfeo3fpp0dL5qxpubZyejITv9fXFg1:1mTNJ0fp3Bp0dLiobP+v9fVa

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1652	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 4740	2556	e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe	81
PID 2556 wrote to memory of 4740	2556	e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe	81
PID 2556 wrote to memory of 4740	2556	e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe	81
PID 4740 wrote to memory of 1652	4740	cmd.exe	83
PID 4740 wrote to memory of 1652	4740	cmd.exe	83
PID 4740 wrote to memory of 1652	4740	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe
"C:\Users\Admin\AppData\Local\Temp\e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A25A.tmp.bat" >> NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A25A.tmp.bat

Filesize
130B

MD5
d56456b749193e8708004c52e8b034ef

SHA1
e63702f74124c60b7f7e4c4e731fd7565060a80a

SHA256
64b7a6132aee7cf27a6179dbc0329f839b0dc686ee1cec134e037cd4204787d9

SHA512
2cebb84dca7b6c488bdd5a0b936f474b9108f993ec6bbb7534b13769a6fbabd5ab43236727d1a32cb2069c082403e6f869172a2c0e455846a1f77124952e8f97

Download Submit