ac7fda1ebc4423bd2dde110a44a51738e349528ad86d27e1cc6353ba55d3c1f1

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac7fda1ebc4423bd2dde110a44a51738e349528ad86d27e1cc6353ba55d3c1f1.exe
Size

141KB
MD5

d577ca3ded6064571964e81d653b7032
SHA1

16f0586d74c27fa7f93a5841f1a8af58f90eef90
SHA256

ac7fda1ebc4423bd2dde110a44a51738e349528ad86d27e1cc6353ba55d3c1f1
SHA512

95d39fffe186814db96dc5a643ed4d226c40261720cfe9c8c051ab3b82e01fabc0d85571e539fd29c0bb22a9cd867c3349b8a64a9f165974712171eb04e0fd7f
SSDEEP

3072:VEyC8lvp2GyvYIDqgBHhpxqnyYHecOlA55iR35E6M2ipaEloZEdNR:qUEXpDqatYNOMkEneZKf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3024	tezin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ac7fda1ebc4423bd2dde110a44a51738e349528ad86d27e1cc6353ba55d3c1f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 3024	400	ac7fda1ebc4423bd2dde110a44a51738e349528ad86d27e1cc6353ba55d3c1f1.exe	81
PID 400 wrote to memory of 3024	400	ac7fda1ebc4423bd2dde110a44a51738e349528ad86d27e1cc6353ba55d3c1f1.exe	81
PID 400 wrote to memory of 3024	400	ac7fda1ebc4423bd2dde110a44a51738e349528ad86d27e1cc6353ba55d3c1f1.exe	81

C:\Users\Admin\AppData\Local\Temp\ac7fda1ebc4423bd2dde110a44a51738e349528ad86d27e1cc6353ba55d3c1f1.exe
"C:\Users\Admin\AppData\Local\Temp\ac7fda1ebc4423bd2dde110a44a51738e349528ad86d27e1cc6353ba55d3c1f1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\tezin.exe
  "C:\Users\Admin\AppData\Local\Temp\tezin.exe"
  2⤵
  - Executes dropped EXE
  PID:3024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tezin.exe

Filesize
142KB

MD5
1633b0000da71e6847a5ca7c5ef9a3bc

SHA1
1c898105a0c3563579283cbd3d2a30fb3dbe50b9

SHA256
5b38d37e060f64b9f5a483146a9dfb3fc828e8069a2d033f15e7d9f1f6b6246c

SHA512
9c12518eefa53985c7da22a49a4334d60343af918bf8d18b1ffaf027240cea6c5159fcf03e37f938d1159c01cdf8d73a4ceda9141ce338a5089d7b688838c55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tezin.exe

Filesize
142KB

MD5
1633b0000da71e6847a5ca7c5ef9a3bc

SHA1
1c898105a0c3563579283cbd3d2a30fb3dbe50b9

SHA256
5b38d37e060f64b9f5a483146a9dfb3fc828e8069a2d033f15e7d9f1f6b6246c

SHA512
9c12518eefa53985c7da22a49a4334d60343af918bf8d18b1ffaf027240cea6c5159fcf03e37f938d1159c01cdf8d73a4ceda9141ce338a5089d7b688838c55d

Download Submit
memory/3024-132-0x0000000000000000-mapping.dmp

Download