c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f

Analysis

max time kernel
131s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 10:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe
Size

1.5MB
MD5

4b456d383b908bd831c55f759fc63e5d
SHA1

3c029bd2335ccb3221fb10a2c73fb4ece4bfcb6b
SHA256

c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f
SHA512

7e5c087e58fba1923804fb981dd6031bd91130f0a08a391f45647f7775742bdf85d72ccad513f6c2156eb728d17f4124777de98a193eb57e60b2b656c1b3e2e7
SSDEEP

24576:Hpa/O74CNt3r2J2FC3eUldZUJ3OlKU4UDcc6Cy+9eG+:wcZC35VcOcmDcc6CdI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 2804	1488	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4120	PING.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2804	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe
2804	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe
2804	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe
2804	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe
2804	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2064	1488	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe	79
PID 1488 wrote to memory of 2064	1488	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe	79
PID 1488 wrote to memory of 2064	1488	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe	79
PID 1488 wrote to memory of 2804	1488	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe	81
PID 1488 wrote to memory of 2804	1488	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe	81
PID 1488 wrote to memory of 2804	1488	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe	81
PID 1488 wrote to memory of 2804	1488	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe	81
PID 1488 wrote to memory of 2804	1488	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe	81
PID 1488 wrote to memory of 2804	1488	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe	81
PID 1488 wrote to memory of 2804	1488	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe	81
PID 1488 wrote to memory of 2804	1488	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe	81
PID 1488 wrote to memory of 2804	1488	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe	81
PID 1488 wrote to memory of 2804	1488	c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe	81
PID 2064 wrote to memory of 4120	2064	cmd.exe	82
PID 2064 wrote to memory of 4120	2064	cmd.exe	82
PID 2064 wrote to memory of 4120	2064	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe
"C:\Users\Admin\AppData\Local\Temp\c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping -c 5 8.8.8.8
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\PING.EXE
    ping -c 5 8.8.8.8
    3⤵
    - Runs ping.exe
    PID:4120
- C:\Users\Admin\AppData\Local\Temp\c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe
  "C:\Users\Admin\AppData\Local\Temp\c0017ec7b8329e011f6dea666897f23fc9788853c0df3652b609d3395c977c0f.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2804-134-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2804-135-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2804-136-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2804-138-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2804-139-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2804-140-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download