daf12ebc2f9fac7e8c02a38549634948cf8e0c20d5da789bb81889f06f7938a7

Analysis

max time kernel
105s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 11:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

daf12ebc2f9fac7e8c02a38549634948cf8e0c20d5da789bb81889f06f7938a7.exe
Size

206KB
MD5

93edb5c6cb7b831076a65bc4d65388dd
SHA1

4e30a372673845699dc624a23e4e1e5a94bd6894
SHA256

daf12ebc2f9fac7e8c02a38549634948cf8e0c20d5da789bb81889f06f7938a7
SHA512

0a0b26ecb6425550693c4cc0e7e16eda62b34b13114567a6d2a7d56a178f51b81742cae140e183cc47250f8d703e8e5bfef002752ac316b73198f1b4ad4bc7f2
SSDEEP

3072:k0t3PPdj6SY0prnpQ0Ahvl9e2Oc0+rb3WdK1KLxyNeEvYS9:J31Y0nQ00tM2Oc5PWdK1KQeEvY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	daf12ebc2f9fac7e8c02a38549634948cf8e0c20d5da789bb81889f06f7938a7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 4996	2144	daf12ebc2f9fac7e8c02a38549634948cf8e0c20d5da789bb81889f06f7938a7.exe	82
PID 2144 wrote to memory of 4996	2144	daf12ebc2f9fac7e8c02a38549634948cf8e0c20d5da789bb81889f06f7938a7.exe	82
PID 2144 wrote to memory of 4996	2144	daf12ebc2f9fac7e8c02a38549634948cf8e0c20d5da789bb81889f06f7938a7.exe	82

C:\Users\Admin\AppData\Local\Temp\daf12ebc2f9fac7e8c02a38549634948cf8e0c20d5da789bb81889f06f7938a7.exe
"C:\Users\Admin\AppData\Local\Temp\daf12ebc2f9fac7e8c02a38549634948cf8e0c20d5da789bb81889f06f7938a7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Qvj..bat" > nul 2> nul
  2⤵
  PID:4996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Qvj..bat

Filesize
274B

MD5
18356a5b8017bef74f1ff5a22374c4ef

SHA1
3860f4a07fef2658c6fea6e4194fb41191c44661

SHA256
c7e7f28d0137204262b8615a57d1eec0bbde9dc2d4b276d4dc270cb00117fa38

SHA512
dff0d97de9fd0caa40eac6c61e73132266c31b1076ff34be28a00bb22ae302ae6eacdd6afb8d8080fc3bfabdf31218a8152c7b4f486a88dd31db96c0c615f3ab

Download Submit
memory/2144-132-0x00000000021C0000-0x00000000021DE000-memory.dmp

Filesize
120KB

Download
memory/2144-133-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2144-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download