fead6c78762e7ff41ce24ed951ae751a786c45e429bd5c623553232e1e5ce218

Analysis

max time kernel
217s
max time network
239s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fead6c78762e7ff41ce24ed951ae751a786c45e429bd5c623553232e1e5ce218.exe
Size

70KB
MD5

923fcf84b6b15d9d9f007ee408d508d0
SHA1

ebfb6012613cbf1d1344a0e8879a3f780fe204e4
SHA256

fead6c78762e7ff41ce24ed951ae751a786c45e429bd5c623553232e1e5ce218
SHA512

ee1125e94851030b9aec2d7b000fe5d8af799664946f919d5951963fcc75e8d684bb185f550d9ddad9e73db37c35668cdd930800caf392ff89cd7fcecfffad9b
SSDEEP

768:AlxqyjUgf6NmaeKlbpOlEeUSvaDBAy1cEEoznVesIuvJ06GwkY+B71ZU9fGo8K:AZUuKlbsLFIAPEEPs1vC6GwkY+6LR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fead6c78762e7ff41ce24ed951ae751a786c45e429bd5c623553232e1e5ce218.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3924	5048	fead6c78762e7ff41ce24ed951ae751a786c45e429bd5c623553232e1e5ce218.exe	81
PID 5048 wrote to memory of 3924	5048	fead6c78762e7ff41ce24ed951ae751a786c45e429bd5c623553232e1e5ce218.exe	81
PID 5048 wrote to memory of 3924	5048	fead6c78762e7ff41ce24ed951ae751a786c45e429bd5c623553232e1e5ce218.exe	81

C:\Users\Admin\AppData\Local\Temp\fead6c78762e7ff41ce24ed951ae751a786c45e429bd5c623553232e1e5ce218.exe
"C:\Users\Admin\AppData\Local\Temp\fead6c78762e7ff41ce24ed951ae751a786c45e429bd5c623553232e1e5ce218.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:3924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
14d841b3a1480ec2550611457ecc17b0

SHA1
3bd2a3980d7105e63053bd7e1a75173479c4f473

SHA256
fcba40436a1131e47cb65ed6d5aa30908b91c2a14ab59219aae62b168ac78d6c

SHA512
b17e7a4f30e0891e270b8ea97e0a861cfe2fbb82c7896e694173d8a3100f9ba07531b1a3cb34f6a808d63d2755ba2885923b385cd488dc59d32b63f4fe03adb0

Download Submit
memory/5048-132-0x0000000000E60000-0x0000000000E8E000-memory.dmp

Filesize
184KB

Download
memory/5048-134-0x0000000000E60000-0x0000000000E8E000-memory.dmp

Filesize
184KB

Download