f656a6b0720d03357d81e9037e42f71e8d135f5492f33ab84fcc1f892e3545a4

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f656a6b0720d03357d81e9037e42f71e8d135f5492f33ab84fcc1f892e3545a4.exe
Size

196KB
MD5

9688de36b679046c274137f195491240
SHA1

18ae05626e43be3b10cbec970d54205e24e27ab1
SHA256

f656a6b0720d03357d81e9037e42f71e8d135f5492f33ab84fcc1f892e3545a4
SHA512

51391d1372d2cc8261d55ce6c72a5542513a67fa8da708c3740d19e46d7af5a5933f6ed01b18ca6a8fbb9ca9b2167bfae4657194fd7a50570f82f81170ab98d6
SSDEEP

3072:aM65zTN7RH9Avf63fpp0dL5qxpubZyejITv9fXFg1:1mTNJ0f63Bp0dLiobP+v9fVa

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f656a6b0720d03357d81e9037e42f71e8d135f5492f33ab84fcc1f892e3545a4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4932	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 748	4636	f656a6b0720d03357d81e9037e42f71e8d135f5492f33ab84fcc1f892e3545a4.exe	83
PID 4636 wrote to memory of 748	4636	f656a6b0720d03357d81e9037e42f71e8d135f5492f33ab84fcc1f892e3545a4.exe	83
PID 4636 wrote to memory of 748	4636	f656a6b0720d03357d81e9037e42f71e8d135f5492f33ab84fcc1f892e3545a4.exe	83
PID 748 wrote to memory of 4932	748	cmd.exe	85
PID 748 wrote to memory of 4932	748	cmd.exe	85
PID 748 wrote to memory of 4932	748	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\f656a6b0720d03357d81e9037e42f71e8d135f5492f33ab84fcc1f892e3545a4.exe
"C:\Users\Admin\AppData\Local\Temp\f656a6b0720d03357d81e9037e42f71e8d135f5492f33ab84fcc1f892e3545a4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\278D.tmp.bat" >> NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:4932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\278D.tmp.bat

Filesize
130B

MD5
9f1ab391f740c4c09ff06d15fbbbf975

SHA1
2dae360e4a25804d1fe3f60eafb4375ed1ef312a

SHA256
48d6002434991cdce772645e1b19b9314161c9dbbd26f052027cdb80d2522f8a

SHA512
1c718263577f308dbaf47e8c3bac091d8fd45d04345dbf5286ec6eefda37500cc93b7f7b13c1e1ab005a96442aaf8b515d021c62b78421db4d40a0a3df88ff95

Download Submit