eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be

Analysis

max time kernel
91s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe
Size

184KB
MD5

821cdee6e72c5da5130a13ab50862b70
SHA1

0d80e67479d7cb00bb6a9f2ca74c5e43939d01b8
SHA256

eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be
SHA512

54c3cefb660d7a57a0c27ba21eb810902ebb4ff6bf73da5315d8af2dfdedb50d1d37411955a1500eef093b894cb4a86dbe275da99769d6a88a3ea24bca25ef07
SSDEEP

3072:xnrRqBYMmJGGlsw23uoYR1zRVufMbCmuhi3URpC4IUhdhLhPhAeY:xSDYaB3uTRsmu1pJIU3hhh6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3280	facebook hack v6.2.Exe
3940	facebook hack v6..exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 3280	3116	eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe	80
PID 3116 wrote to memory of 3280	3116	eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe	80
PID 3116 wrote to memory of 3280	3116	eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe	80
PID 3116 wrote to memory of 3940	3116	eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe	81
PID 3116 wrote to memory of 3940	3116	eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe	81
PID 3116 wrote to memory of 3940	3116	eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe	81

C:\Users\Admin\AppData\Local\Temp\eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe
"C:\Users\Admin\AppData\Local\Temp\eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Local\Temp\facebook hack v6.2.Exe
  "C:\Users\Admin\AppData\Local\Temp\facebook hack v6.2.Exe"
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Users\Admin\AppData\Local\Temp\facebook hack v6..exe
  "C:\Users\Admin\AppData\Local\Temp\facebook hack v6..exe"
  2⤵
  - Executes dropped EXE
  PID:3940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\facebook hack v6..exe

Filesize
33KB

MD5
596805c542b24fc7e9f1b689e9490941

SHA1
68736e9600a135b9fb7a9d8b0040eee395112cd6

SHA256
2c4e9e949f75f44889b71223267df3c7ecec8489bdf27b269247c787f459001d

SHA512
e43c3eb8970f92f25072b315b0cdd4bd9b3ec06b50c08524e6fc820a83f29713e7a75a65ed436da623ff7574e4f2196f5848dc3f7a5b0ab39af110fcfa77aaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\facebook hack v6..exe

Filesize
33KB

MD5
596805c542b24fc7e9f1b689e9490941

SHA1
68736e9600a135b9fb7a9d8b0040eee395112cd6

SHA256
2c4e9e949f75f44889b71223267df3c7ecec8489bdf27b269247c787f459001d

SHA512
e43c3eb8970f92f25072b315b0cdd4bd9b3ec06b50c08524e6fc820a83f29713e7a75a65ed436da623ff7574e4f2196f5848dc3f7a5b0ab39af110fcfa77aaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\facebook hack v6.2.Exe

Filesize
309KB

MD5
5b32674ed2aab6a1c987f12048c9c362

SHA1
6d6ad39281c73303700943913acb83733e9693ce

SHA256
95b70d4ee8c613a8b714488c729cfd086505d9a53abb5d0879e3c28e578dc668

SHA512
034fbb688cba4a25ef07fc206e59b9a6eb8092d225a6b4ed62b99e29bce003e2d7b45843ea3f908e7027d17519cb6b229b910648a4790b905f0e161d3d22e730

Download Submit
C:\Users\Admin\AppData\Local\Temp\facebook hack v6.2.Exe

Filesize
309KB

MD5
5b32674ed2aab6a1c987f12048c9c362

SHA1
6d6ad39281c73303700943913acb83733e9693ce

SHA256
95b70d4ee8c613a8b714488c729cfd086505d9a53abb5d0879e3c28e578dc668

SHA512
034fbb688cba4a25ef07fc206e59b9a6eb8092d225a6b4ed62b99e29bce003e2d7b45843ea3f908e7027d17519cb6b229b910648a4790b905f0e161d3d22e730

Download Submit
memory/3280-139-0x0000000073C00000-0x00000000741B1000-memory.dmp

Filesize
5.7MB

Download
memory/3280-145-0x0000000073C00000-0x00000000741B1000-memory.dmp

Filesize
5.7MB

Download
memory/3940-138-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/3940-140-0x0000000005920000-0x00000000059BC000-memory.dmp

Filesize
624KB

Download
memory/3940-141-0x0000000006010000-0x00000000065B4000-memory.dmp

Filesize
5.6MB

Download
memory/3940-142-0x0000000005A60000-0x0000000005AF2000-memory.dmp

Filesize
584KB

Download
memory/3940-143-0x0000000003370000-0x000000000337A000-memory.dmp

Filesize
40KB

Download
memory/3940-144-0x00000000059C0000-0x0000000005A16000-memory.dmp

Filesize
344KB

Download