17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.exe
Size

120KB
MD5

00d72d8f972ed384ed5b018fe1b68e66
SHA1

2db63c0c678f39018f18c520f50d6b3b0021b682
SHA256

17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86
SHA512

1407c866c9d6273253580437acd05f64002d6e8cbe97d071874711d64eede13dc0a64cd1c6ab2abe2c73dfdcad6930ac8f30ec1fefd2815782158300a8630bad
SSDEEP

3072:dMeZVVcB8v3tajzekZQSLzS9QQUbM81CYTXim6:mehvQX/ZfLxQUbMi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.execmd.exe

description	pid	process	target process
PID 5044 wrote to memory of 4192	5044	17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.exe	cmd.exe
PID 5044 wrote to memory of 4192	5044	17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.exe	cmd.exe
PID 5044 wrote to memory of 4192	5044	17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.exe	cmd.exe
PID 4192 wrote to memory of 4984	4192	cmd.exe	cmd.exe
PID 4192 wrote to memory of 4984	4192	cmd.exe	cmd.exe
PID 4192 wrote to memory of 4984	4192	cmd.exe	cmd.exe
PID 4192 wrote to memory of 4300	4192	cmd.exe	find.exe
PID 4192 wrote to memory of 4300	4192	cmd.exe	find.exe
PID 4192 wrote to memory of 4300	4192	cmd.exe	find.exe
PID 4192 wrote to memory of 5104	4192	cmd.exe	find.exe
PID 4192 wrote to memory of 5104	4192	cmd.exe	find.exe
PID 4192 wrote to memory of 5104	4192	cmd.exe	find.exe
PID 4192 wrote to memory of 596	4192	cmd.exe	cmd.exe
PID 4192 wrote to memory of 596	4192	cmd.exe	cmd.exe
PID 4192 wrote to memory of 596	4192	cmd.exe	cmd.exe
PID 4192 wrote to memory of 4436	4192	cmd.exe	cmd.exe
PID 4192 wrote to memory of 4436	4192	cmd.exe	cmd.exe
PID 4192 wrote to memory of 4436	4192	cmd.exe	cmd.exe
PID 4192 wrote to memory of 4180	4192	cmd.exe	cmd.exe
PID 4192 wrote to memory of 4180	4192	cmd.exe	cmd.exe
PID 4192 wrote to memory of 4180	4192	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.exe
"C:\Users\Admin\AppData\Local\Temp\17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BFC3826.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type BFC3826.bat"
3⤵
PID:4984

C:\Windows\SysWOW64\find.exe
find "e "
3⤵
PID:4300

C:\Windows\SysWOW64\find.exe
find /v "REM"
3⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
cmd /C debug<shell.x
3⤵
PID:596

C:\Windows\SysWOW64\cmd.exe
cmd /C del shell.x
3⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
cmd /C del shell.x
3⤵
PID:4180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BFC3826.bat

Filesize
101KB

MD5
b4d3bbc40fd2affb7fbdb57901ea7479

SHA1
c39d0f8d9de9852cba3f7a3170e57a18e88a347f

SHA256
c13e106c39236c8631776064f7894adc4337730541dd8262004fc338b5e18c7f

SHA512
4c6d4c1cb700ee882d1e7ab19baa9242814de85025d73f682a4e9f1c9052478f66ae9941e1859b87f0cdfc275b95d385215a9e6439c70c35ac968e69b94b0f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\shell.x

Filesize
100KB

MD5
54d707490c161ea00b472c65b1465583

SHA1
f38295d6c533bbd6c3d962c3846371dc1bd0de22

SHA256
bc53bc2b5ef762727204750161aa6e78e03d9e5afa33b5ff9914cc0679a5b59c

SHA512
011a1400f5ae928ddfbfbab63f183fb87484c5ec367a075fe0c39a1d7c38519bdd10866dcfdfe3fa73ec8fcf9a4dcc42dde2f7dcf76222cb4ece7e2225f7d5e0

Download Submit
memory/596-137-0x0000000000000000-mapping.dmp

Download
memory/4180-140-0x0000000000000000-mapping.dmp

Download
memory/4192-132-0x0000000000000000-mapping.dmp

Download
memory/4300-135-0x0000000000000000-mapping.dmp

Download
memory/4436-139-0x0000000000000000-mapping.dmp

Download
memory/4984-134-0x0000000000000000-mapping.dmp

Download
memory/5104-136-0x0000000000000000-mapping.dmp

Download