ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82

Analysis

max time kernel
91s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82.exe
Size

950KB
MD5

99f0685b66a1378da325f746af950387
SHA1

050a5270ed025afd9c81e16ce75605bfdb945c6f
SHA256

ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82
SHA512

a2b8e3ffaabd2a3c373f96f4a5d817734ccc3647a23da9e4e06c6e30e0523be97c51e82719469b2fbbdd3eaa7524623a5df510a01e3de87fc974d91efc6f6f4c
SSDEEP

24576:rbhCAzc/bU6qsguxKVITWnmNwU2LIkdI31h6DnjI:rc/Y6eiKVITWnmT2LIP6Dnk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: RenamesItself 1 IoCs

Processes:

ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82.exe

pid process

3284 ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82.exe

pid	process
3284	ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82.exe

description	pid	process
Token: SeShutdownPrivilege	3284	ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82.exe
Token: SeCreatePagefilePrivilege	3284	ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82.exe

description	pid	process	target process
PID 3284 wrote to memory of 4268	3284	ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82.exe	cmd.exe
PID 3284 wrote to memory of 4268	3284	ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82.exe	cmd.exe
PID 3284 wrote to memory of 4268	3284	ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82.exe
"C:\Users\Admin\AppData\Local\Temp\ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SRukcGoEdreXoNlU.bat" "
2⤵
PID:4268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SRukcGoEdreXoNlU.bat
Filesize
204B

MD5
2d5735b9a46d929d3ba706f8806ab41b

SHA1
c9b212367fd945c6b20c535bd37a182501f30bd9

SHA256
b90b8527b1369d6d8187d1b18ab86717c6ad52495b792b51d3e762e7205a3c6f

SHA512
90cb3b1c8521961a8bcde4b0eb8cfb977c2af75d15bda003e7dc49bc76be4bd30be35881f7effa2525dd88e2142662450c0a90591490f9aa05e9c3f0f2df069d

Download Submit
memory/4268-132-0x0000000000000000-mapping.dmp

Download