Analysis

  • max time kernel
    92s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 15:34

General

  • Target

    eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe

  • Size

    25KB

  • MD5

    a08a0aa983e1c95c1b72394fd1b18e70

  • SHA1

    58c3b51ccdb1aac67d09443e28a52b6f24bb7e52

  • SHA256

    eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7

  • SHA512

    968e1fc119ac2aa96067de653115d2f9c301e53e034b37ea5dfcbafbc789acb4155ac8f48aa5561df06c15cca24b564d851a9f29668205fc26a8ed890082f2fd

  • SSDEEP

    768:DS7nh4aQC9xkV1tdgI2MyzNORQtOflIwoHNV2XBFV72B4lA7ZsUI+/V:DS7nK8eztdgI2MyzNORQtOflIwoHNV2u

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe
    "C:\Users\Admin\AppData\Local\Temp\eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5012
    • C:\Users\Admin\AppData\Local\Temp\ffengh.exe
      "C:\Users\Admin\AppData\Local\Temp\ffengh.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      PID:4580

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ffengh.exe

    Filesize

    25KB

    MD5

    786ca66a1428c854056c1685f2936fac

    SHA1

    524e6d4ba2953f96e2acf8705cbc466a16a83c71

    SHA256

    9feece5140f270b3bf6bdd05fc2b34304af238ad15f2b4e4014441428f65eb8c

    SHA512

    138d2abdf8e1c822865cef7b0a45f49c64542e3cef78533fecde6a243b350b4608df620828e2b02b8b07d4f1c751826e88d84886fc9a36e3b86f16a6fb25a0d8

  • C:\Users\Admin\AppData\Local\Temp\ffengh.exe

    Filesize

    25KB

    MD5

    786ca66a1428c854056c1685f2936fac

    SHA1

    524e6d4ba2953f96e2acf8705cbc466a16a83c71

    SHA256

    9feece5140f270b3bf6bdd05fc2b34304af238ad15f2b4e4014441428f65eb8c

    SHA512

    138d2abdf8e1c822865cef7b0a45f49c64542e3cef78533fecde6a243b350b4608df620828e2b02b8b07d4f1c751826e88d84886fc9a36e3b86f16a6fb25a0d8

  • memory/4580-140-0x0000000000430000-0x0000000000437000-memory.dmp

    Filesize

    28KB

  • memory/5012-132-0x00000000006E0000-0x00000000006E7000-memory.dmp

    Filesize

    28KB

  • memory/5012-133-0x00000000006E0000-0x00000000006E7000-memory.dmp

    Filesize

    28KB

  • memory/5012-134-0x0000000000400000-0x0000000000404000-memory.dmp

    Filesize

    16KB