80aa98fea0db302f362d90f4bb4d97f076d6d273d9dd656208782448929582a8

Analysis

max time kernel
125s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80aa98fea0db302f362d90f4bb4d97f076d6d273d9dd656208782448929582a8.exe
Size

200KB
MD5

0e619d519a02016e2c7f3402f9e67910
SHA1

2ffe7ce1fe71015ce32601ec0bca1622e8d6c7fe
SHA256

80aa98fea0db302f362d90f4bb4d97f076d6d273d9dd656208782448929582a8
SHA512

e1d955f8219ff089f66b73ac1f853f581a7ed40aee64cb92aa263c759ee302611bfd31d14b937c0e492ffa2c6c36866c185fe9e9876d21e19f0f57f8679e4c3f
SSDEEP

3072:DVmZWXyaiedMbrN6pnoXvBsZV1NQKPWDyDReScJltZrpRqCTg:BSNaPM4loQNSDyDREthpg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2508	calc.exe
3852	notepad.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	80aa98fea0db302f362d90f4bb4d97f076d6d273d9dd656208782448929582a8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3008	80aa98fea0db302f362d90f4bb4d97f076d6d273d9dd656208782448929582a8.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2508	3008	80aa98fea0db302f362d90f4bb4d97f076d6d273d9dd656208782448929582a8.exe	82
PID 3008 wrote to memory of 2508	3008	80aa98fea0db302f362d90f4bb4d97f076d6d273d9dd656208782448929582a8.exe	82
PID 3008 wrote to memory of 2508	3008	80aa98fea0db302f362d90f4bb4d97f076d6d273d9dd656208782448929582a8.exe	82
PID 3008 wrote to memory of 3852	3008	80aa98fea0db302f362d90f4bb4d97f076d6d273d9dd656208782448929582a8.exe	83
PID 3008 wrote to memory of 3852	3008	80aa98fea0db302f362d90f4bb4d97f076d6d273d9dd656208782448929582a8.exe	83
PID 3008 wrote to memory of 3852	3008	80aa98fea0db302f362d90f4bb4d97f076d6d273d9dd656208782448929582a8.exe	83

C:\Users\Admin\AppData\Local\Temp\80aa98fea0db302f362d90f4bb4d97f076d6d273d9dd656208782448929582a8.exe
"C:\Users\Admin\AppData\Local\Temp\80aa98fea0db302f362d90f4bb4d97f076d6d273d9dd656208782448929582a8.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008
- C:\calc.exe
  "C:\calc.exe"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\notepad.exe
  "C:\notepad.exe"
  2⤵
  - Executes dropped EXE
  PID:3852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\calc.exe

Filesize
112KB

MD5
e3fcb903305f8ee5551ea66f5c096737

SHA1
84c1f3baae1cc0746c7f17c255e72ecd1baf63c4

SHA256
228cd209855d76c02cd42dd14e5726b1b55598004864dc034a5943d34310feb8

SHA512
efa198c851858ed7569a714d879f8eb8d6516b71decf3aef9a2c6268d40c835ef03ec3836f41b23684c47e4fdb6e92c282075b5e2a3661408ae80866efaea9de

Download Submit
C:\calc.exe

Filesize
112KB

MD5
e3fcb903305f8ee5551ea66f5c096737

SHA1
84c1f3baae1cc0746c7f17c255e72ecd1baf63c4

SHA256
228cd209855d76c02cd42dd14e5726b1b55598004864dc034a5943d34310feb8

SHA512
efa198c851858ed7569a714d879f8eb8d6516b71decf3aef9a2c6268d40c835ef03ec3836f41b23684c47e4fdb6e92c282075b5e2a3661408ae80866efaea9de

Download Submit
C:\notepad.exe

Filesize
65KB

MD5
89fe32de8587b0dfd76efce00396eb56

SHA1
1572b3c4d3dd39832ae500abccc1d2df27ef1b8c

SHA256
2b1f046d15dce7f20a294cba6e6f9b5e7ebf854ff6010a5f3ea7eee45478b843

SHA512
48a700cc8a398bd3e65a922990373ed845d8bbb6cc6f5e4d102187b59ac1707270fcbe9149e5a7abfa811b796d242a464900dafd1288ac5f46ab0bc0ae93ca9d

Download Submit
C:\notepad.exe

Filesize
65KB

MD5
89fe32de8587b0dfd76efce00396eb56

SHA1
1572b3c4d3dd39832ae500abccc1d2df27ef1b8c

SHA256
2b1f046d15dce7f20a294cba6e6f9b5e7ebf854ff6010a5f3ea7eee45478b843

SHA512
48a700cc8a398bd3e65a922990373ed845d8bbb6cc6f5e4d102187b59ac1707270fcbe9149e5a7abfa811b796d242a464900dafd1288ac5f46ab0bc0ae93ca9d

Download Submit