c1f329ec44f80ba8e4b052b614efdf12307f1e2266c9e96baa3ebd75b2f26010

Analysis

max time kernel
307s
max time network
322s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1f329ec44f80ba8e4b052b614efdf12307f1e2266c9e96baa3ebd75b2f26010.exe
Size

232KB
MD5

5f4497ca592c677d15062e07cc2b5132
SHA1

33d1b76a4134fffcc0215c13fef180e2acb86464
SHA256

c1f329ec44f80ba8e4b052b614efdf12307f1e2266c9e96baa3ebd75b2f26010
SHA512

69e37ee3ade09c374e3dfd7298659b1fa98ddfeea73ada1e670271d169ed9fb87749e80161387585be4a5b32ef8cbd71d9daf4ca1f15562fa52f05898561f7db
SSDEEP

1536:G3zmGomoDo0omoEo4A5AVzotokoXoOoioVo2oEogoFoPoeoWooo7oxozoZoMoZHB:gmJA5AVap/k

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

keamiy.exe

pid process

2348 keamiy.exe

pid	process
2348	keamiy.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c1f329ec44f80ba8e4b052b614efdf12307f1e2266c9e96baa3ebd75b2f26010.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	c1f329ec44f80ba8e4b052b614efdf12307f1e2266c9e96baa3ebd75b2f26010.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c1f329ec44f80ba8e4b052b614efdf12307f1e2266c9e96baa3ebd75b2f26010.exekeamiy.exe

pid process

2192 c1f329ec44f80ba8e4b052b614efdf12307f1e2266c9e96baa3ebd75b2f26010.exe
2348 keamiy.exe

pid	process
2192	c1f329ec44f80ba8e4b052b614efdf12307f1e2266c9e96baa3ebd75b2f26010.exe
2348	keamiy.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c1f329ec44f80ba8e4b052b614efdf12307f1e2266c9e96baa3ebd75b2f26010.exe

description	pid	process	target process
PID 2192 wrote to memory of 2348	2192	c1f329ec44f80ba8e4b052b614efdf12307f1e2266c9e96baa3ebd75b2f26010.exe	keamiy.exe
PID 2192 wrote to memory of 2348	2192	c1f329ec44f80ba8e4b052b614efdf12307f1e2266c9e96baa3ebd75b2f26010.exe	keamiy.exe
PID 2192 wrote to memory of 2348	2192	c1f329ec44f80ba8e4b052b614efdf12307f1e2266c9e96baa3ebd75b2f26010.exe	keamiy.exe

C:\Users\Admin\AppData\Local\Temp\c1f329ec44f80ba8e4b052b614efdf12307f1e2266c9e96baa3ebd75b2f26010.exe
"C:\Users\Admin\AppData\Local\Temp\c1f329ec44f80ba8e4b052b614efdf12307f1e2266c9e96baa3ebd75b2f26010.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\keamiy.exe
  "C:\Users\Admin\keamiy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\keamiy.exe

Filesize
232KB

MD5
636bb93db6431680d2c950bf3c96217b

SHA1
d9f66b5dde723cb360a200a96b3b03353a693039

SHA256
9f0a53f1041ef715fdf98d9e069a54844781cacc15951b2361a82326525d9695

SHA512
cc1389891bb14497e854c8724656063b622c8ab26f6803d428c4a6f62cd70a66c0bc2687a367282ff7ae637bf5d9c9b625090ea6708f5d90a626068af64c7cb4

Download Submit
C:\Users\Admin\keamiy.exe

Filesize
232KB

MD5
636bb93db6431680d2c950bf3c96217b

SHA1
d9f66b5dde723cb360a200a96b3b03353a693039

SHA256
9f0a53f1041ef715fdf98d9e069a54844781cacc15951b2361a82326525d9695

SHA512
cc1389891bb14497e854c8724656063b622c8ab26f6803d428c4a6f62cd70a66c0bc2687a367282ff7ae637bf5d9c9b625090ea6708f5d90a626068af64c7cb4

Download Submit
memory/2348-134-0x0000000000000000-mapping.dmp

Download