Analysis
-
max time kernel
174s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 04:32
Static task
static1
Behavioral task
behavioral1
Sample
2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe
Resource
win10v2004-20221111-en
General
-
Target
2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe
-
Size
234KB
-
MD5
96ef9656bcf53588fdf4c5c2bbb517e3
-
SHA1
f8476b3fe430f00cc840cbb035da81a0a6162d76
-
SHA256
2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815
-
SHA512
33107156e8239fd186e5cb006fbaee82593e93a322276726e8f28de4e543c646b042a79589a82c10e77cfca7dd8001f65b275a2b7115255e86af2203f521ff8a
-
SSDEEP
3072:km2VVOW15qNaiPStostctNtl7Zu03fr70+xYG08atBFbqOyZRm+tn7zVuydm8pQW:k0E4fl713fr70acFbca+tJxpQXG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exedescription pid process target process PID 1116 set thread context of 4436 1116 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exepid process 1116 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exenet.exedescription pid process target process PID 1116 wrote to memory of 212 1116 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe net.exe PID 1116 wrote to memory of 212 1116 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe net.exe PID 1116 wrote to memory of 212 1116 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe net.exe PID 212 wrote to memory of 3796 212 net.exe net1.exe PID 212 wrote to memory of 3796 212 net.exe net1.exe PID 212 wrote to memory of 3796 212 net.exe net1.exe PID 1116 wrote to memory of 4436 1116 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe PID 1116 wrote to memory of 4436 1116 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe PID 1116 wrote to memory of 4436 1116 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe PID 1116 wrote to memory of 4436 1116 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe PID 1116 wrote to memory of 4436 1116 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe PID 1116 wrote to memory of 4436 1116 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe PID 1116 wrote to memory of 4436 1116 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe PID 1116 wrote to memory of 4436 1116 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe 2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe"C:\Users\Admin\AppData\Local\Temp\2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop sharedaccess2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess3⤵
-
C:\Users\Admin\AppData\Local\Temp\2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe"C:\Users\Admin\AppData\Local\Temp\2e8a6084ff53768010e505cb3fc6f485a80a6f3951a3d6a893d08d2eaf68e815.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/212-135-0x0000000000000000-mapping.dmp
-
memory/3796-136-0x0000000000000000-mapping.dmp
-
memory/4436-137-0x0000000000000000-mapping.dmp
-
memory/4436-138-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/4436-140-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/4436-141-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB