c157b98ff80fec82cd92f78b3fafbb0387e825ca7aa371b10350b061625d6d09

Analysis

max time kernel
133s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 01:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c157b98ff80fec82cd92f78b3fafbb0387e825ca7aa371b10350b061625d6d09.exe
Size

120KB
MD5

80440662a985c8b820c7568b441b3310
SHA1

f3ff45bd81001e67145372b11052a368ed14452a
SHA256

c157b98ff80fec82cd92f78b3fafbb0387e825ca7aa371b10350b061625d6d09
SHA512

71bd0ccdb7523afbe60377cffcc84371ffd6de0aee27fa58ab882fe1b03ea938e4a95a34d9ea34f3f39f73cb89bd7969b876d9f213d24a9fd2e8a15e8056cb21
SSDEEP

1536:72hA2mAK0nh2qeCk9EHJPVsXURFDvMO1Ra+3ZucQUBaYoEqaaoMQj5/9X9DMeLUX:7sZe9iw8Ffk+3ZucQUB/p9KVpT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c157b98ff80fec82cd92f78b3fafbb0387e825ca7aa371b10350b061625d6d09.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1180	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	tasklist.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3108	c157b98ff80fec82cd92f78b3fafbb0387e825ca7aa371b10350b061625d6d09.exe
3108	c157b98ff80fec82cd92f78b3fafbb0387e825ca7aa371b10350b061625d6d09.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 4724	3108	c157b98ff80fec82cd92f78b3fafbb0387e825ca7aa371b10350b061625d6d09.exe	81
PID 3108 wrote to memory of 4724	3108	c157b98ff80fec82cd92f78b3fafbb0387e825ca7aa371b10350b061625d6d09.exe	81
PID 3108 wrote to memory of 4724	3108	c157b98ff80fec82cd92f78b3fafbb0387e825ca7aa371b10350b061625d6d09.exe	81
PID 4724 wrote to memory of 1180	4724	cmd.exe	84
PID 4724 wrote to memory of 1180	4724	cmd.exe	84
PID 4724 wrote to memory of 1180	4724	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\c157b98ff80fec82cd92f78b3fafbb0387e825ca7aa371b10350b061625d6d09.exe
"C:\Users\Admin\AppData\Local\Temp\c157b98ff80fec82cd92f78b3fafbb0387e825ca7aa371b10350b061625d6d09.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del c157b98ff80fec82cd92f78b3fafbb0387
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads