ea050ba3edf69098fb60541704ba7fe8a1d215420e9f2bffbd1d3e57cf39cb9d

Analysis

max time kernel
91s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 15:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ea050ba3edf69098fb60541704ba7fe8a1d215420e9f2bffbd1d3e57cf39cb9d.exe
Size

19KB
MD5

a124448cecf6ff583e6d999ff2a99360
SHA1

f8341ac6fb98bb7016e11cb02dcd576915d15342
SHA256

ea050ba3edf69098fb60541704ba7fe8a1d215420e9f2bffbd1d3e57cf39cb9d
SHA512

39293893cbd94eb3e129f142847ac97db226ed0057c2a199c2ef9d51966ad6f79512c490598461fe7cf047fbaff1008090bf311d705703e831a216b6ee810620
SSDEEP

384:+7ZfapsmVHgRK/rJ1OetA8gA49lBrenVyJB6w:OpgTARK/rRggVgB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1420	updatepdf.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ea050ba3edf69098fb60541704ba7fe8a1d215420e9f2bffbd1d3e57cf39cb9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 1420	648	ea050ba3edf69098fb60541704ba7fe8a1d215420e9f2bffbd1d3e57cf39cb9d.exe	83
PID 648 wrote to memory of 1420	648	ea050ba3edf69098fb60541704ba7fe8a1d215420e9f2bffbd1d3e57cf39cb9d.exe	83
PID 648 wrote to memory of 1420	648	ea050ba3edf69098fb60541704ba7fe8a1d215420e9f2bffbd1d3e57cf39cb9d.exe	83

C:\Users\Admin\AppData\Local\Temp\ea050ba3edf69098fb60541704ba7fe8a1d215420e9f2bffbd1d3e57cf39cb9d.exe
"C:\Users\Admin\AppData\Local\Temp\ea050ba3edf69098fb60541704ba7fe8a1d215420e9f2bffbd1d3e57cf39cb9d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Local\Temp\updatepdf.exe
  "C:\Users\Admin\AppData\Local\Temp\updatepdf.exe"
  2⤵
  - Executes dropped EXE
  PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\updatepdf.exe

Filesize
19KB

MD5
63348bfd1528fa14f71efac8f29d0d1f

SHA1
f776c67cb8fbd0bfa917336e4109730117aa30c2

SHA256
7a693f604c831d22b403ad3a4f71cf4ea3275c7423ca0fcdec03bece8756e70d

SHA512
a0a460e1c6565db3112cdb37fabc0a1eb61ef8b0294d65b90099eda5af81b5ac14b74c9ea93bba97f4254b6d595c94bf82098be8a179a8e6036e1d66fcb6db57

Download Submit
C:\Users\Admin\AppData\Local\Temp\updatepdf.exe

Filesize
19KB

MD5
63348bfd1528fa14f71efac8f29d0d1f

SHA1
f776c67cb8fbd0bfa917336e4109730117aa30c2

SHA256
7a693f604c831d22b403ad3a4f71cf4ea3275c7423ca0fcdec03bece8756e70d

SHA512
a0a460e1c6565db3112cdb37fabc0a1eb61ef8b0294d65b90099eda5af81b5ac14b74c9ea93bba97f4254b6d595c94bf82098be8a179a8e6036e1d66fcb6db57

Download Submit