ebee57d2d44a34a260f1139bd23333826ff2bf64f06fd2a3fec14b6f13482031

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebee57d2d44a34a260f1139bd23333826ff2bf64f06fd2a3fec14b6f13482031.exe
Size

958KB
MD5

34bd8d6661a32f94b523168f028430e7
SHA1

df21a7f462bde792057e57ca2f7e5edf0715034d
SHA256

ebee57d2d44a34a260f1139bd23333826ff2bf64f06fd2a3fec14b6f13482031
SHA512

7469cdc6b524651b8bd0f923ecb525263e4509761aee8b0949354a994b72b0cf2e3137a58742f2b6ff249a3b9aeae9590c4ae9fa7c0dc9c2c2142121f2819eb0
SSDEEP

24576:S0WQ7EIHdcoZrEb5HN8kYeH0GRGx6KdVosUz75ss92IodM:4uEKZrEbP8+Gx6yJL36

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

фыа.exe

pid process

2976 фыа.exe

pid	process
2976	фыа.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ebee57d2d44a34a260f1139bd23333826ff2bf64f06fd2a3fec14b6f13482031.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ebee57d2d44a34a260f1139bd23333826ff2bf64f06fd2a3fec14b6f13482031.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

фыа.exe

pid process

2976 фыа.exe

pid	process
2976	фыа.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ebee57d2d44a34a260f1139bd23333826ff2bf64f06fd2a3fec14b6f13482031.exeфыа.exe

description	pid	process
Token: SeDebugPrivilege	5044	ebee57d2d44a34a260f1139bd23333826ff2bf64f06fd2a3fec14b6f13482031.exe
Token: SeDebugPrivilege	2976	фыа.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ebee57d2d44a34a260f1139bd23333826ff2bf64f06fd2a3fec14b6f13482031.exe

description	pid	process	target process
PID 5044 wrote to memory of 2976	5044	ebee57d2d44a34a260f1139bd23333826ff2bf64f06fd2a3fec14b6f13482031.exe	фыа.exe
PID 5044 wrote to memory of 2976	5044	ebee57d2d44a34a260f1139bd23333826ff2bf64f06fd2a3fec14b6f13482031.exe	фыа.exe
PID 5044 wrote to memory of 2976	5044	ebee57d2d44a34a260f1139bd23333826ff2bf64f06fd2a3fec14b6f13482031.exe	фыа.exe

C:\Users\Admin\AppData\Local\Temp\ebee57d2d44a34a260f1139bd23333826ff2bf64f06fd2a3fec14b6f13482031.exe
"C:\Users\Admin\AppData\Local\Temp\ebee57d2d44a34a260f1139bd23333826ff2bf64f06fd2a3fec14b6f13482031.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\фыа.exe
  "C:\Users\Admin\AppData\Local\Temp\фыа.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\фыа.exe

Filesize
529KB

MD5
515246ff007dd85d8694a4dec86ae93e

SHA1
4bb246a44a25ac993e47d7b07575bf0d6023f9c4

SHA256
726cc9defd966bb5a4139feaf73d30df71697215fc3e5497517799c688106f52

SHA512
4e676f8935c165ec0015ee8fd63118539add349d530f17712e9774a44bd32b0c56f0a706efb995df41b3f1a54dc1f2eef42033dc28987279bc512c5d8033adc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\фыа.exe

Filesize
529KB

MD5
515246ff007dd85d8694a4dec86ae93e

SHA1
4bb246a44a25ac993e47d7b07575bf0d6023f9c4

SHA256
726cc9defd966bb5a4139feaf73d30df71697215fc3e5497517799c688106f52

SHA512
4e676f8935c165ec0015ee8fd63118539add349d530f17712e9774a44bd32b0c56f0a706efb995df41b3f1a54dc1f2eef42033dc28987279bc512c5d8033adc2

Download Submit
memory/2976-133-0x0000000000000000-mapping.dmp

Download
memory/2976-136-0x0000000000140000-0x00000000001CA000-memory.dmp

Filesize
552KB

Download
memory/5044-132-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/5044-137-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download