Analysis

  • max time kernel
    319s
  • max time network
    329s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 08:55

General

  • Target

    eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe

  • Size

    675KB

  • MD5

    0b6ddda7ba995c36b25bf5f562b4104f

  • SHA1

    fd103c9f0ac2f8462f9c8f24bcfe1fca22eb691d

  • SHA256

    eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2

  • SHA512

    c30e7ec9283f1917b05fdbf952d145837ad407b3bdc5431d78cb6a0f70af3a0192f0373c4fc3aefb7cae9766b0813ba802241a4a51f4b7ae7dbffd42738daab4

  • SSDEEP

    12288:iat0EAH49n8BGe60O+/CRcDrNnyWP28xRqcrINVeAGXHbH6zAv2P5up+Jit:Nt24Je6BeC2yXKR0reNXHmzA0+

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe
    "C:\Users\Admin\AppData\Local\Temp\eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\good.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:3732
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4592
      • C:\Users\Admin\AppData\Local\Temp\2.exe
        2.exe -p97135 -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Executes dropped EXE
        PID:2676

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2.bat

    Filesize

    33B

    MD5

    5b6bae6a6904f85436b1ab38dcc4a790

    SHA1

    c6556302d873217df621cdd5893424a61d72faae

    SHA256

    d3c84d033ac9e86c90b431fe9f71507d8ab1b8427f2f68688c1e771ea4cc3fa8

    SHA512

    987ff8fdd31434aae3629cb7fbb776e12f3ec3ac4855cb6715ed5f9e55984b9dcec5ffb0cd358961451037f17b42cc7103a0f240b0b16d16b726795464580e94

  • C:\Users\Admin\AppData\Local\Temp\2.exe

    Filesize

    438KB

    MD5

    6f76c6d26dd252684163e0fb324d0a70

    SHA1

    3862a46eef009b5947c803b33c16f6fb3aa3a1e1

    SHA256

    d477d3daaa8f0f3d999c58602e24b1c1b1188eef9d206afaef314591798f019d

    SHA512

    59a7cf7e74ba545163b7a15b545d540d9d0c678100df1a92d9169762cbf5d9d6529464bfa1a4bc4d8fa9384e37bbea268e995942e8761bfd4d301ca7814f4eff

  • C:\Users\Admin\AppData\Local\Temp\2.exe

    Filesize

    438KB

    MD5

    6f76c6d26dd252684163e0fb324d0a70

    SHA1

    3862a46eef009b5947c803b33c16f6fb3aa3a1e1

    SHA256

    d477d3daaa8f0f3d999c58602e24b1c1b1188eef9d206afaef314591798f019d

    SHA512

    59a7cf7e74ba545163b7a15b545d540d9d0c678100df1a92d9169762cbf5d9d6529464bfa1a4bc4d8fa9384e37bbea268e995942e8761bfd4d301ca7814f4eff

  • C:\Users\Admin\AppData\Local\Temp\good.txt

    Filesize

    275KB

    MD5

    f5ed8cd6e8e25f702f41c768a91220b3

    SHA1

    c13ac128aac625beada1cdcb6e1f3aaa9d4c3e83

    SHA256

    e26206534d17d5798ccb1c61c5c54c4781e7cff18c26e0827a7f903aed697d02

    SHA512

    bfb27c9ee53f6094c28fc395b3fbc18b0c1450aad49fbc2aa51c7f14f756506a8c274423bf5b6a0768f76f3efde031b7f234b855c48c91049d0e1e5129e4c9c7

  • memory/2676-135-0x0000000000000000-mapping.dmp

  • memory/3732-132-0x0000000000000000-mapping.dmp

  • memory/4592-133-0x0000000000000000-mapping.dmp