Analysis
-
max time kernel
181s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 20:54
Static task
static1
Behavioral task
behavioral1
Sample
baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe
Resource
win10v2004-20221111-en
General
-
Target
baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe
-
Size
113KB
-
MD5
1b6e444ba7241ccaed3fb67e191cf605
-
SHA1
885b749ced5993737081b47dcb490cce18498af9
-
SHA256
baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3
-
SHA512
eb4c6a3d5f91b5851808124b6f4d5437988c26136c78ea1b7e9d64e107e6a2d04a442955dfae57be18cebbfabbdee3e7bdcd6116bd32c1538c2b1070ee694f67
-
SSDEEP
3072:QuiBG6IggKenHasq9y25XquxAzflFEHURitEHyp+xAFSdsmFIb:hggKen6sQy+quegw1AF/1
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exedescription pid process target process PID 2744 wrote to memory of 4088 2744 baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe cmd.exe PID 2744 wrote to memory of 4088 2744 baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe cmd.exe PID 2744 wrote to memory of 4088 2744 baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe"C:\Users\Admin\AppData\Local\Temp\baf99e7e22e7a8e5419b9f5fe971376f7f335489b7dfc8ce0476561d70f8b7d3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ldv..bat" > nul 2> nul2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Ldv..batFilesize
274B
MD56c4ed9ea110c21ddb5be5ce3de3d486f
SHA157b12daf9794f7c2c0beda37c730e5a218ce746d
SHA256ea2f43a7c94c8659e961207bf79c082b575f3c3916d475128557568cc5600a57
SHA5121382c265baadba4170e98d59f479e6e98d08e01e4d8818dad655ffe29337e345dfcb84553869b00e41ea65c95bec3e56cac29f0a9fee7fa060830eb7c2a7894c
-
memory/2744-132-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2744-133-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2744-135-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4088-134-0x0000000000000000-mapping.dmp