b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97

Analysis

max time kernel
199s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe
Size

113KB
MD5

483f9ca4dc8862b4c1d082fa2fbc62e3
SHA1

b09e81d95c334950f8fad48bbe3b9b6bb027c9b0
SHA256

b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97
SHA512

482fdd7afcb4c3d6e7ed80d65d19e133a61f478a43d2af77531b53ae42d441c2b15e8b49b7da6c58c3c7cd1bae28cb64f98b3792e062714a20ac775032669623
SSDEEP

3072:XemcyqFcEJrRL5JbfHmTy6ol2M5bh85VN+umgLFIq:Xi1Fz7mMkc18PNIgJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe

description	pid	process	target process
PID 3228 wrote to memory of 4704	3228	b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe	cmd.exe
PID 3228 wrote to memory of 4704	3228	b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe	cmd.exe
PID 3228 wrote to memory of 4704	3228	b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe
"C:\Users\Admin\AppData\Local\Temp\b8aa6c2d19630d275a0ce64fdcbba7034bbd2afbdbe1d6e5b81988c1a195ec97.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Xmf..bat" > nul 2> nul
2⤵
PID:4704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Xmf..bat

Filesize
274B

MD5
7e2400b6495e21c2b5aa77fea01795dd

SHA1
2b6ff08e4158c601c653650d76f587aa31d291ea

SHA256
5a8afc0bb4df765c602d7192f6e3b57b9e08c4cd1924d38bac57b996c74e1634

SHA512
9e0c52c0f0a25a47d184a0019b9aa789b0959b91473c505cc30cd33b26970ee8dea41da1bef7258fdee39030e1229f24d49aa5215c8bc0185ed49ad5083f232a

Download Submit
memory/3228-132-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download
memory/3228-134-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download
memory/4704-133-0x0000000000000000-mapping.dmp

Download