9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301

Analysis

max time kernel
149s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 06:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301.exe
Size

99KB
MD5

5f7bceb83bb21ffe32f8ff07e072cdaa
SHA1

b79da590a6ebe212ded4eb5e7d21402bd0d040cb
SHA256

9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301
SHA512

59199106ca59a0abba6efc9072af588e71fe79011555d368d0e626835a9b318f403c21766e3c4334b53ba27c9039f003107a78085a1d94548447cf5c5b104ac1
SSDEEP

1536:UhhYzHQxhu1h7evMhuEanToEN+ROqzUDCkmWPVj1B6CnWkiUw4an0FHKrYPkfWQI:U8DQT+7Vhf3NpYt1tWkNNFHKr1WWiJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 1876	3396	9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301.exe	83
PID 3396 wrote to memory of 1876	3396	9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301.exe	83
PID 3396 wrote to memory of 1876	3396	9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301.exe	83

C:\Users\Admin\AppData\Local\Temp\9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301.exe
"C:\Users\Admin\AppData\Local\Temp\9277a8ebdee9cce84e74d2ff480d880b15f056ae08cd7740e03fc0cd5ad7f301.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Pfv..bat" > nul 2> nul
  2⤵
  PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Pfv..bat

Filesize
274B

MD5
95a4aa2066c824c27ba8bed2cd952a38

SHA1
0ef5a9c7f02d8466feaa07e018a1cc3d976705d9

SHA256
1fa1c9952bfedc89cab70f6bdb2a1cdd41fc0145e4f2a98b38686798f53bb352

SHA512
a976912d272a0cb0c37dc08e013487a828788043ac7cafa8bd7345c20ec209a47bffa39f7e50e836ed3eecb93e75b766fa1d22e1ffea76e66d63cb2d342d001b

Download Submit
memory/3396-132-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/3396-133-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3396-135-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download