Analysis
-
max time kernel
167s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 07:15
Static task
static1
Behavioral task
behavioral1
Sample
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe
Resource
win10v2004-20220812-en
General
-
Target
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe
-
Size
131KB
-
MD5
93c3392b91669a01cceb599296c3c2b0
-
SHA1
fbe8bae801d725dc2d40ce680e14f5b34a5737be
-
SHA256
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4
-
SHA512
ef4b685c6c75f4f68c49a5ee119576cdec7b4a5abba61d2bca333be18225ac08da6ca8edf91e1bd5fd0fbede4b10b688b53b98a5b26bed7639a71a0a1332a610
-
SSDEEP
3072:O/fCCPsG9etK87u1JdYVU10PIutREBO9qYDHa4rCcBM2v:OjP2KEhUWPIuPEOAYD64xf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
yahoo.exepid process 4652 yahoo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exedescription pid process target process PID 4708 wrote to memory of 4652 4708 fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe yahoo.exe PID 4708 wrote to memory of 4652 4708 fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe yahoo.exe PID 4708 wrote to memory of 4652 4708 fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe yahoo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe"C:\Users\Admin\AppData\Local\Temp\fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yahoo.exe"C:\Users\Admin\AppData\Local\Temp\yahoo.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\yahoo.exeFilesize
131KB
MD593c3392b91669a01cceb599296c3c2b0
SHA1fbe8bae801d725dc2d40ce680e14f5b34a5737be
SHA256fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4
SHA512ef4b685c6c75f4f68c49a5ee119576cdec7b4a5abba61d2bca333be18225ac08da6ca8edf91e1bd5fd0fbede4b10b688b53b98a5b26bed7639a71a0a1332a610
-
C:\Users\Admin\AppData\Local\Temp\yahoo.exeFilesize
131KB
MD593c3392b91669a01cceb599296c3c2b0
SHA1fbe8bae801d725dc2d40ce680e14f5b34a5737be
SHA256fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4
SHA512ef4b685c6c75f4f68c49a5ee119576cdec7b4a5abba61d2bca333be18225ac08da6ca8edf91e1bd5fd0fbede4b10b688b53b98a5b26bed7639a71a0a1332a610
-
memory/4652-135-0x0000000000000000-mapping.dmp
-
memory/4708-132-0x0000000000A60000-0x0000000000A86000-memory.dmpFilesize
152KB
-
memory/4708-133-0x0000000007C70000-0x0000000007D0C000-memory.dmpFilesize
624KB
-
memory/4708-134-0x00000000084C0000-0x0000000008A64000-memory.dmpFilesize
5.6MB