4edd4b4dc096d6a7f30182be0f69822dcd3e72a57332721634923c5fbc035847

Analysis

max time kernel
61s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4edd4b4dc096d6a7f30182be0f69822dcd3e72a57332721634923c5fbc035847.exe
Size

306KB
MD5

2bc5256229ad4026e685e68624bc69e1
SHA1

59ee8edcb7d58b6f2e61ffda1335c0cc6ff277c3
SHA256

4edd4b4dc096d6a7f30182be0f69822dcd3e72a57332721634923c5fbc035847
SHA512

d1bfd7f125829b17c868b212a37eb614a80da2b7ed8dd81e7c23dac55b272412ba6f54be09149492629971b1048deb289cb418614d7c7483291f47fe9cee2652
SSDEEP

6144:UZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6h/5EFaSSpUJPof6:SANwRo+mv8QD4+0V16h/5EFtSqxof6

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3284	A@-Hack V2.exe
3952	system3221.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	4edd4b4dc096d6a7f30182be0f69822dcd3e72a57332721634923c5fbc035847.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system3221.exe	4edd4b4dc096d6a7f30182be0f69822dcd3e72a57332721634923c5fbc035847.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2948	3952	WerFault.exe	83

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 3284	3796	4edd4b4dc096d6a7f30182be0f69822dcd3e72a57332721634923c5fbc035847.exe	82
PID 3796 wrote to memory of 3284	3796	4edd4b4dc096d6a7f30182be0f69822dcd3e72a57332721634923c5fbc035847.exe	82
PID 3796 wrote to memory of 3284	3796	4edd4b4dc096d6a7f30182be0f69822dcd3e72a57332721634923c5fbc035847.exe	82
PID 3796 wrote to memory of 3952	3796	4edd4b4dc096d6a7f30182be0f69822dcd3e72a57332721634923c5fbc035847.exe	83
PID 3796 wrote to memory of 3952	3796	4edd4b4dc096d6a7f30182be0f69822dcd3e72a57332721634923c5fbc035847.exe	83
PID 3796 wrote to memory of 3952	3796	4edd4b4dc096d6a7f30182be0f69822dcd3e72a57332721634923c5fbc035847.exe	83

C:\Users\Admin\AppData\Local\Temp\4edd4b4dc096d6a7f30182be0f69822dcd3e72a57332721634923c5fbc035847.exe
"C:\Users\Admin\AppData\Local\Temp\4edd4b4dc096d6a7f30182be0f69822dcd3e72a57332721634923c5fbc035847.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Users\Admin\AppData\Local\Temp\A@-Hack V2.exe
  "C:\Users\Admin\AppData\Local\Temp\A@-Hack V2.exe"
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\system3221.exe
  "C:\Windows\system3221.exe"
  2⤵
  - Executes dropped EXE
  PID:3952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 248
    3⤵
    - Program crash
    PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3952 -ip 3952
1⤵
PID:3752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A@-Hack V2.exe

Filesize
233KB

MD5
7fb79afe3818ae193f68fe621be9be1e

SHA1
ddab2f821b156f93b5767733fc8034f5c4c38429

SHA256
ba2e83a1deba792c886f136751e54f762d4ca7aea8590199273c1c995c9e502b

SHA512
3316c30694bd1197ccc8760372717c482bb5199c4ca1311ff1eae8cbdb6747b65f33c054ef0ae8bc12fa88c97c1291954ef88495696a7d14d2ef2db049596b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\A@-Hack V2.exe

Filesize
233KB

MD5
7fb79afe3818ae193f68fe621be9be1e

SHA1
ddab2f821b156f93b5767733fc8034f5c4c38429

SHA256
ba2e83a1deba792c886f136751e54f762d4ca7aea8590199273c1c995c9e502b

SHA512
3316c30694bd1197ccc8760372717c482bb5199c4ca1311ff1eae8cbdb6747b65f33c054ef0ae8bc12fa88c97c1291954ef88495696a7d14d2ef2db049596b57

Download Submit
C:\Windows\system3221.exe

Filesize
57KB

MD5
2a8d50cd7fc0ce33101c7214edee0cde

SHA1
ad11b53c264ca0c0605fdb99024fb1bf3ed0de7e

SHA256
264bd6c4afed9cc7623c92c68ef0f370a84efd0f585e264bbff72e743cd916fa

SHA512
56bbf411e199e90d540e5b7f60eee4837511fc86982d41aeb508b6931f90ea0333851a76754839f52e53c8b7787de0ad3d793965d6f645a468639ff7f5a2c362

Download Submit
C:\Windows\system3221.exe

Filesize
57KB

MD5
2a8d50cd7fc0ce33101c7214edee0cde

SHA1
ad11b53c264ca0c0605fdb99024fb1bf3ed0de7e

SHA256
264bd6c4afed9cc7623c92c68ef0f370a84efd0f585e264bbff72e743cd916fa

SHA512
56bbf411e199e90d540e5b7f60eee4837511fc86982d41aeb508b6931f90ea0333851a76754839f52e53c8b7787de0ad3d793965d6f645a468639ff7f5a2c362

Download Submit
memory/3284-138-0x0000000000A50000-0x0000000000A92000-memory.dmp

Filesize
264KB

Download
memory/3284-139-0x00000000052D0000-0x000000000536C000-memory.dmp

Filesize
624KB

Download
memory/3284-140-0x0000000005930000-0x0000000005ED4000-memory.dmp

Filesize
5.6MB

Download
memory/3284-141-0x0000000005420000-0x00000000054B2000-memory.dmp

Filesize
584KB

Download
memory/3284-142-0x00000000053B0000-0x00000000053BA000-memory.dmp

Filesize
40KB

Download
memory/3284-143-0x00000000054C0000-0x0000000005516000-memory.dmp

Filesize
344KB

Download