fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4

Analysis

max time kernel
167s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe
Size

131KB
MD5

93c3392b91669a01cceb599296c3c2b0
SHA1

fbe8bae801d725dc2d40ce680e14f5b34a5737be
SHA256

fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4
SHA512

ef4b685c6c75f4f68c49a5ee119576cdec7b4a5abba61d2bca333be18225ac08da6ca8edf91e1bd5fd0fbede4b10b688b53b98a5b26bed7639a71a0a1332a610
SSDEEP

3072:O/fCCPsG9etK87u1JdYVU10PIutREBO9qYDHa4rCcBM2v:OjP2KEhUWPIuPEOAYD64xf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

yahoo.exe

pid process

4652 yahoo.exe

pid	process
4652	yahoo.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe

description	pid	process	target process
PID 4708 wrote to memory of 4652	4708	fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe	yahoo.exe
PID 4708 wrote to memory of 4652	4708	fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe	yahoo.exe
PID 4708 wrote to memory of 4652	4708	fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe	yahoo.exe

C:\Users\Admin\AppData\Local\Temp\fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe
"C:\Users\Admin\AppData\Local\Temp\fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\yahoo.exe
"C:\Users\Admin\AppData\Local\Temp\yahoo.exe"
2⤵
- Executes dropped EXE
PID:4652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yahoo.exe
Filesize
131KB

MD5
93c3392b91669a01cceb599296c3c2b0

SHA1
fbe8bae801d725dc2d40ce680e14f5b34a5737be

SHA256
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4

SHA512
ef4b685c6c75f4f68c49a5ee119576cdec7b4a5abba61d2bca333be18225ac08da6ca8edf91e1bd5fd0fbede4b10b688b53b98a5b26bed7639a71a0a1332a610

Download Submit
C:\Users\Admin\AppData\Local\Temp\yahoo.exe
Filesize
131KB

MD5
93c3392b91669a01cceb599296c3c2b0

SHA1
fbe8bae801d725dc2d40ce680e14f5b34a5737be

SHA256
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4

SHA512
ef4b685c6c75f4f68c49a5ee119576cdec7b4a5abba61d2bca333be18225ac08da6ca8edf91e1bd5fd0fbede4b10b688b53b98a5b26bed7639a71a0a1332a610

Download Submit
memory/4652-135-0x0000000000000000-mapping.dmp

Download
memory/4708-132-0x0000000000A60000-0x0000000000A86000-memory.dmp

Filesize
152KB

Download
memory/4708-133-0x0000000007C70000-0x0000000007D0C000-memory.dmp

Filesize
624KB

Download
memory/4708-134-0x00000000084C0000-0x0000000008A64000-memory.dmp

Filesize
5.6MB

Download