eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2

Analysis

max time kernel
319s
max time network
329s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe
Size

675KB
MD5

0b6ddda7ba995c36b25bf5f562b4104f
SHA1

fd103c9f0ac2f8462f9c8f24bcfe1fca22eb691d
SHA256

eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2
SHA512

c30e7ec9283f1917b05fdbf952d145837ad407b3bdc5431d78cb6a0f70af3a0192f0373c4fc3aefb7cae9766b0813ba802241a4a51f4b7ae7dbffd42738daab4
SSDEEP

12288:iat0EAH49n8BGe60O+/CRcDrNnyWP28xRqcrINVeAGXHbH6zAv2P5up+Jit:Nt24Je6BeC2yXKR0reNXHmzA0+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

2.exe

pid process

2676 2.exe

pid	process
2676	2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3732 NOTEPAD.EXE

pid	process
3732	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.execmd.exe

description	pid	process	target process
PID 4040 wrote to memory of 3732	4040	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	NOTEPAD.EXE
PID 4040 wrote to memory of 3732	4040	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	NOTEPAD.EXE
PID 4040 wrote to memory of 3732	4040	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	NOTEPAD.EXE
PID 4040 wrote to memory of 4592	4040	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	cmd.exe
PID 4040 wrote to memory of 4592	4040	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	cmd.exe
PID 4040 wrote to memory of 4592	4040	eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe	cmd.exe
PID 4592 wrote to memory of 2676	4592	cmd.exe	2.exe
PID 4592 wrote to memory of 2676	4592	cmd.exe	2.exe
PID 4592 wrote to memory of 2676	4592	cmd.exe	2.exe

C:\Users\Admin\AppData\Local\Temp\eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe
"C:\Users\Admin\AppData\Local\Temp\eea615efc27f4dbaa20f493226caf399a4f5994fd1493f03ac75deffa81954d2.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\good.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    2.exe -p97135 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    PID:2676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
33B

MD5
5b6bae6a6904f85436b1ab38dcc4a790

SHA1
c6556302d873217df621cdd5893424a61d72faae

SHA256
d3c84d033ac9e86c90b431fe9f71507d8ab1b8427f2f68688c1e771ea4cc3fa8

SHA512
987ff8fdd31434aae3629cb7fbb776e12f3ec3ac4855cb6715ed5f9e55984b9dcec5ffb0cd358961451037f17b42cc7103a0f240b0b16d16b726795464580e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
438KB

MD5
6f76c6d26dd252684163e0fb324d0a70

SHA1
3862a46eef009b5947c803b33c16f6fb3aa3a1e1

SHA256
d477d3daaa8f0f3d999c58602e24b1c1b1188eef9d206afaef314591798f019d

SHA512
59a7cf7e74ba545163b7a15b545d540d9d0c678100df1a92d9169762cbf5d9d6529464bfa1a4bc4d8fa9384e37bbea268e995942e8761bfd4d301ca7814f4eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
438KB

MD5
6f76c6d26dd252684163e0fb324d0a70

SHA1
3862a46eef009b5947c803b33c16f6fb3aa3a1e1

SHA256
d477d3daaa8f0f3d999c58602e24b1c1b1188eef9d206afaef314591798f019d

SHA512
59a7cf7e74ba545163b7a15b545d540d9d0c678100df1a92d9169762cbf5d9d6529464bfa1a4bc4d8fa9384e37bbea268e995942e8761bfd4d301ca7814f4eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\good.txt

Filesize
275KB

MD5
f5ed8cd6e8e25f702f41c768a91220b3

SHA1
c13ac128aac625beada1cdcb6e1f3aaa9d4c3e83

SHA256
e26206534d17d5798ccb1c61c5c54c4781e7cff18c26e0827a7f903aed697d02

SHA512
bfb27c9ee53f6094c28fc395b3fbc18b0c1450aad49fbc2aa51c7f14f756506a8c274423bf5b6a0768f76f3efde031b7f234b855c48c91049d0e1e5129e4c9c7

Download Submit
memory/2676-135-0x0000000000000000-mapping.dmp

Download
memory/3732-132-0x0000000000000000-mapping.dmp

Download
memory/4592-133-0x0000000000000000-mapping.dmp

Download