178babbbf127d9d56c35721fabb518f664593b959e6158bf61e54caa049d8dcf

Analysis

max time kernel
155s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2022, 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

178babbbf127d9d56c35721fabb518f664593b959e6158bf61e54caa049d8dcf.exe
Size

598KB
MD5

23310b0361db04abd2b81d71fc300557
SHA1

2ebbd7cc1d018ef4872413d8c01f65c3b99914d1
SHA256

178babbbf127d9d56c35721fabb518f664593b959e6158bf61e54caa049d8dcf
SHA512

1a7e989003bfbb51381755d8089249e6c9478765b8ece9570113745e271131b4bf08d24d3d99a06895f5a3ad5d0a17434f78fe9afac322aa2c198b5b2b5cf7dc
SSDEEP

12288:tmLoLgmqLjKDzsMLYvNMy2RFQnyPve0gvJ2D:tmLoLgJLjKDzs9NMy2RFQnyPve0gxe

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4332	Sysceamdvdkc.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4952-132-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4332-136-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/files/0x000a000000022e3e-135.dat	upx
behavioral2/files/0x000a000000022e3e-134.dat	upx
behavioral2/memory/4952-138-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4332-139-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	178babbbf127d9d56c35721fabb518f664593b959e6158bf61e54caa049d8dcf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	178babbbf127d9d56c35721fabb518f664593b959e6158bf61e54caa049d8dcf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe
4332	Sysceamdvdkc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 4332	4952	178babbbf127d9d56c35721fabb518f664593b959e6158bf61e54caa049d8dcf.exe	83
PID 4952 wrote to memory of 4332	4952	178babbbf127d9d56c35721fabb518f664593b959e6158bf61e54caa049d8dcf.exe	83
PID 4952 wrote to memory of 4332	4952	178babbbf127d9d56c35721fabb518f664593b959e6158bf61e54caa049d8dcf.exe	83

C:\Users\Admin\AppData\Local\Temp\178babbbf127d9d56c35721fabb518f664593b959e6158bf61e54caa049d8dcf.exe
"C:\Users\Admin\AppData\Local\Temp\178babbbf127d9d56c35721fabb518f664593b959e6158bf61e54caa049d8dcf.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\Sysceamdvdkc.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamdvdkc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sysceamdvdkc.exe

Filesize
598KB

MD5
637e57112f302f0765d8611d35a29523

SHA1
19cd61bb253f6879c9c4d0cd279cbe3a256abb13

SHA256
a8123eb6aad9af5aa751c0b2f4f13dbde8f8c405b374bd6db631b7046fc1470e

SHA512
66f43722f0466190b33f1467c614a491024cac8fef311dbdfc08d1588c35be8ef7e2068f5707903a4d0bf8fe8eed7f2ec72b01321e59ffb95723ba420ec0bcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamdvdkc.exe

Filesize
598KB

MD5
637e57112f302f0765d8611d35a29523

SHA1
19cd61bb253f6879c9c4d0cd279cbe3a256abb13

SHA256
a8123eb6aad9af5aa751c0b2f4f13dbde8f8c405b374bd6db631b7046fc1470e

SHA512
66f43722f0466190b33f1467c614a491024cac8fef311dbdfc08d1588c35be8ef7e2068f5707903a4d0bf8fe8eed7f2ec72b01321e59ffb95723ba420ec0bcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
c99a253e33d3075a257c57ef3e0391cc

SHA1
6a929c390e7a7cfa26ba18a08e35425442370997

SHA256
2469677b945f589e6924c10dcfe3369ba08e03c360d0c33bbcb8f74c6b527c74

SHA512
f38628b2795cac856e756b66a32634a549f71bf2eb4f3a851b82fd81bd3cf7c045d4971c43b988fc5478ae61f9b9483fba0bc4c57d03a0ad8c0ea56eebd356ab

Download Submit
memory/4332-136-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4332-139-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4952-132-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4952-138-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download