eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7

Analysis

max time kernel
92s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe
Size

25KB
MD5

a08a0aa983e1c95c1b72394fd1b18e70
SHA1

58c3b51ccdb1aac67d09443e28a52b6f24bb7e52
SHA256

eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7
SHA512

968e1fc119ac2aa96067de653115d2f9c301e53e034b37ea5dfcbafbc789acb4155ac8f48aa5561df06c15cca24b564d851a9f29668205fc26a8ed890082f2fd
SSDEEP

768:DS7nh4aQC9xkV1tdgI2MyzNORQtOflIwoHNV2XBFV72B4lA7ZsUI+/V:DS7nK8eztdgI2MyzNORQtOflIwoHNV2u

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4580	ffengh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ffengh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 4580	5012	eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe	80
PID 5012 wrote to memory of 4580	5012	eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe	80
PID 5012 wrote to memory of 4580	5012	eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe	80

C:\Users\Admin\AppData\Local\Temp\eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe
"C:\Users\Admin\AppData\Local\Temp\eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\ffengh.exe
  "C:\Users\Admin\AppData\Local\Temp\ffengh.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:4580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ffengh.exe

Filesize
25KB

MD5
786ca66a1428c854056c1685f2936fac

SHA1
524e6d4ba2953f96e2acf8705cbc466a16a83c71

SHA256
9feece5140f270b3bf6bdd05fc2b34304af238ad15f2b4e4014441428f65eb8c

SHA512
138d2abdf8e1c822865cef7b0a45f49c64542e3cef78533fecde6a243b350b4608df620828e2b02b8b07d4f1c751826e88d84886fc9a36e3b86f16a6fb25a0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffengh.exe

Filesize
25KB

MD5
786ca66a1428c854056c1685f2936fac

SHA1
524e6d4ba2953f96e2acf8705cbc466a16a83c71

SHA256
9feece5140f270b3bf6bdd05fc2b34304af238ad15f2b4e4014441428f65eb8c

SHA512
138d2abdf8e1c822865cef7b0a45f49c64542e3cef78533fecde6a243b350b4608df620828e2b02b8b07d4f1c751826e88d84886fc9a36e3b86f16a6fb25a0d8

Download Submit
memory/4580-140-0x0000000000430000-0x0000000000437000-memory.dmp

Filesize
28KB

Download
memory/5012-132-0x00000000006E0000-0x00000000006E7000-memory.dmp

Filesize
28KB

Download
memory/5012-133-0x00000000006E0000-0x00000000006E7000-memory.dmp

Filesize
28KB

Download
memory/5012-134-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download