947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2

Analysis

max time kernel
189s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe
Size

224KB
MD5

267655ebca4e4261d58556e007ecd5b1
SHA1

05e0d60628978cae7ebf98c45646ff785c1f2dd5
SHA256

947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2
SHA512

ebab316a4353dab3cc5fecabc23b0cacdab562651886aed95e1bb9266c548e63090fd8865643a7462260d74762b3bb16408c95bb3a83c3d0ef5244a868816a52
SSDEEP

6144:g9o7tHiKg02IwLgnIgGdS6N0WL21IDBILxJakz:MAHiKgHPdvfL21KBKJB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4800 PING.EXE

pid	process
4800	PING.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe

description	pid	process	target process
PID 64 wrote to memory of 4800	64	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe	PING.EXE
PID 64 wrote to memory of 4800	64	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe	PING.EXE
PID 64 wrote to memory of 4800	64	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe
"C:\Users\Admin\AppData\Local\Temp\947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" 127.0.0.1 -n 1
2⤵
- Runs ping.exe
PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4800-132-0x0000000000000000-mapping.dmp

Download