Analysis
-
max time kernel
319s -
max time network
329s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 08:55
Static task
static1
Behavioral task
behavioral1
Sample
eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe
Resource
win10v2004-20221111-en
General
-
Target
eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe
-
Size
675KB
-
MD5
0b6ddda7ba995c36b25bf5f562b4104f
-
SHA1
fd103c9f0ac2f8462f9c8f24bcfe1fca22eb691d
-
SHA256
eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2
-
SHA512
c30e7ec9283f1917b05fdbf952d145837ad407b3bdc5431d78cb6a0f70af3a0192f0373c4fc3aefb7cae9766b0813ba802241a4a51f4b7ae7dbffd42738daab4
-
SSDEEP
12288:iat0EAH49n8BGe60O+/CRcDrNnyWP28xRqcrINVeAGXHbH6zAv2P5up+Jit:Nt24Je6BeC2yXKR0reNXHmzA0+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
2.exepid process 2676 2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3732 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.execmd.exedescription pid process target process PID 4040 wrote to memory of 3732 4040 eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe NOTEPAD.EXE PID 4040 wrote to memory of 3732 4040 eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe NOTEPAD.EXE PID 4040 wrote to memory of 3732 4040 eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe NOTEPAD.EXE PID 4040 wrote to memory of 4592 4040 eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe cmd.exe PID 4040 wrote to memory of 4592 4040 eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe cmd.exe PID 4040 wrote to memory of 4592 4040 eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe cmd.exe PID 4592 wrote to memory of 2676 4592 cmd.exe 2.exe PID 4592 wrote to memory of 2676 4592 cmd.exe 2.exe PID 4592 wrote to memory of 2676 4592 cmd.exe 2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe"C:\Users\Admin\AppData\Local\Temp\eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\good.txt2⤵
- Opens file in notepad (likely ransom note)
PID:3732
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\2.exe2.exe -p97135 -dC:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
PID:2676
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33B
MD55b6bae6a6904f85436b1ab38dcc4a790
SHA1c6556302d873217df621cdd5893424a61d72faae
SHA256d3c84d033ac9e86c90b431fe9f71507d8ab1b8427f2f68688c1e771ea4cc3fa8
SHA512987ff8fdd31434aae3629cb7fbb776e12f3ec3ac4855cb6715ed5f9e55984b9dcec5ffb0cd358961451037f17b42cc7103a0f240b0b16d16b726795464580e94
-
Filesize
438KB
MD56f76c6d26dd252684163e0fb324d0a70
SHA13862a46eef009b5947c803b33c16f6fb3aa3a1e1
SHA256d477d3daaa8f0f3d999c58602e24b1c1b1188eef9d206afaef314591798f019d
SHA51259a7cf7e74ba545163b7a15b545d540d9d0c678100df1a92d9169762cbf5d9d6529464bfa1a4bc4d8fa9384e37bbea268e995942e8761bfd4d301ca7814f4eff
-
Filesize
438KB
MD56f76c6d26dd252684163e0fb324d0a70
SHA13862a46eef009b5947c803b33c16f6fb3aa3a1e1
SHA256d477d3daaa8f0f3d999c58602e24b1c1b1188eef9d206afaef314591798f019d
SHA51259a7cf7e74ba545163b7a15b545d540d9d0c678100df1a92d9169762cbf5d9d6529464bfa1a4bc4d8fa9384e37bbea268e995942e8761bfd4d301ca7814f4eff
-
Filesize
275KB
MD5f5ed8cd6e8e25f702f41c768a91220b3
SHA1c13ac128aac625beada1cdcb6e1f3aaa9d4c3e83
SHA256e26206534d17d5798ccb1c61c5c54c4781e7cff18c26e0827a7f903aed697d02
SHA512bfb27c9ee53f6094c28fc395b3fbc18b0c1450aad49fbc2aa51c7f14f756506a8c274423bf5b6a0768f76f3efde031b7f234b855c48c91049d0e1e5129e4c9c7