62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9

Analysis

max time kernel
153s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe
Size

113KB
MD5

ce04be5ea49bf4b2bb1824f94349bcfe
SHA1

fb3d596a4fd5f501c2b4b042a12b7208c1d13e30
SHA256

62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9
SHA512

0dc46a16efec9b449cbe5b52a7175fca0e7c12c88f3fbeecf5bc1eafa3e102ee8f33bd28c8cb9455e38f8c3d233c65abd3e4c7d701c15cd6e41f8b7726fee22b
SSDEEP

3072:JemcyqFcEJrRL5JbfHmTy6ol2M5bh85VN+umgLFIq:Ji1Fz7mMkc18PNIgJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe

description	pid	process	target process
PID 4500 wrote to memory of 4000	4500	62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe	cmd.exe
PID 4500 wrote to memory of 4000	4500	62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe	cmd.exe
PID 4500 wrote to memory of 4000	4500	62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe
"C:\Users\Admin\AppData\Local\Temp\62e073dc6679e44aeabe0d4e45909978e47daaba91ec35465448393c809fb2e9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Kfp..bat" > nul 2> nul
2⤵
PID:4000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Kfp..bat

Filesize
274B

MD5
dea8ace5ec168e7f709aadb49f34a688

SHA1
57f7d979fd9f48075149847e48e5bb679ad42fd8

SHA256
fb44593f09f5674f8a60d812179871625322604b470514600a88096f27272406

SHA512
2b8370d58ca32e46feb4336b80702485404676eaa2fb4d8e7eab480c7f91a1128c54009b79ef8d79da23a432aa2b0fcaa490651844f85be173b68d084083788f

Download Submit
memory/4000-133-0x0000000000000000-mapping.dmp

Download
memory/4500-132-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download
memory/4500-134-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download