2a46f751b86df95b5f740d4e0b3129d26b6323bb9afe6a1707519ce2bb90e5e6

Analysis

max time kernel
137s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a46f751b86df95b5f740d4e0b3129d26b6323bb9afe6a1707519ce2bb90e5e6.exe
Size

18KB
MD5

8dcafbce7a944df17e8257eaa3dc7e99
SHA1

2b1ff918a5611abbc21638b8334f399984e468cd
SHA256

2a46f751b86df95b5f740d4e0b3129d26b6323bb9afe6a1707519ce2bb90e5e6
SHA512

5e16962074dbdcb4ba3c16fd6fa9a9324832dc38fb7efd2b5fd8df087b4f100ad2b21149e56535c5624af41e047eab840e8683bf9ee11f21be4cda9bba765a2f
SSDEEP

192:KSY39YVDBpWvsmYaaBIyFE2vO0c93ymCzyLq1oynR61miLE3epar8Rd/:C39YVDLnmY1RTQ938zQq1+wiL8e68Rd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

pycwq.exe

pid process

2276 pycwq.exe

pid	process
2276	pycwq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2a46f751b86df95b5f740d4e0b3129d26b6323bb9afe6a1707519ce2bb90e5e6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2a46f751b86df95b5f740d4e0b3129d26b6323bb9afe6a1707519ce2bb90e5e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2a46f751b86df95b5f740d4e0b3129d26b6323bb9afe6a1707519ce2bb90e5e6.exe

description	pid	process	target process
PID 1048 wrote to memory of 2276	1048	2a46f751b86df95b5f740d4e0b3129d26b6323bb9afe6a1707519ce2bb90e5e6.exe	pycwq.exe
PID 1048 wrote to memory of 2276	1048	2a46f751b86df95b5f740d4e0b3129d26b6323bb9afe6a1707519ce2bb90e5e6.exe	pycwq.exe
PID 1048 wrote to memory of 2276	1048	2a46f751b86df95b5f740d4e0b3129d26b6323bb9afe6a1707519ce2bb90e5e6.exe	pycwq.exe

C:\Users\Admin\AppData\Local\Temp\2a46f751b86df95b5f740d4e0b3129d26b6323bb9afe6a1707519ce2bb90e5e6.exe
"C:\Users\Admin\AppData\Local\Temp\2a46f751b86df95b5f740d4e0b3129d26b6323bb9afe6a1707519ce2bb90e5e6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\pycwq.exe
"C:\Users\Admin\AppData\Local\Temp\pycwq.exe"
2⤵
- Executes dropped EXE
PID:2276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pycwq.exe
Filesize
18KB

MD5
2789ee4f393557184b5790214cdd7d64

SHA1
4d9f739b3edcb2654ba2defe72b677533c43f6b2

SHA256
6bfcc1ee7ee701107fdef87c08eedfa3d65ad6e0706adf311e518330f6468da8

SHA512
fc354ed4566896331a5956a4d7c9f945389a778bbab50ba96d669fead7de81570f625bb8ac8043f76e6cc4a71e801dc0ccf171b5720dacdccafc1e7f2b6acd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pycwq.exe
Filesize
18KB

MD5
2789ee4f393557184b5790214cdd7d64

SHA1
4d9f739b3edcb2654ba2defe72b677533c43f6b2

SHA256
6bfcc1ee7ee701107fdef87c08eedfa3d65ad6e0706adf311e518330f6468da8

SHA512
fc354ed4566896331a5956a4d7c9f945389a778bbab50ba96d669fead7de81570f625bb8ac8043f76e6cc4a71e801dc0ccf171b5720dacdccafc1e7f2b6acd3d

Download Submit
memory/1048-132-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2276-133-0x0000000000000000-mapping.dmp

Download
memory/2276-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download