805afeed0aee894d45da02b05c8141e94108a08870020ab707b1caeac920ed53

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

805afeed0aee894d45da02b05c8141e94108a08870020ab707b1caeac920ed53.exe
Size

223KB
MD5

a3515422fca53a59a6920dede7c5fd2c
SHA1

d849d7af07ed678fd5d0e9252569c245b2297292
SHA256

805afeed0aee894d45da02b05c8141e94108a08870020ab707b1caeac920ed53
SHA512

e7f4f5281a00a9355cecf770717c62b0721e37e2f55c092b51d72ccb605fbc4e00158d897928114bddc8ff167989d8c189eaa8325aa90bc35a22f6e0c0dbd840
SSDEEP

6144:HP9lNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNdwNMaFuWMGH:HP9iiaNMGfkHriP8L2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3344	Windows_Events.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	805afeed0aee894d45da02b05c8141e94108a08870020ab707b1caeac920ed53.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\security\window\Windows_Events.InstallState	Windows_Events.exe
File created	C:\Windows\security\window\Windows_Events.exe	805afeed0aee894d45da02b05c8141e94108a08870020ab707b1caeac920ed53.exe
File opened for modification	C:\Windows\security\window\Windows_Events.InstallLog	Windows_Events.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 3344	3060	805afeed0aee894d45da02b05c8141e94108a08870020ab707b1caeac920ed53.exe	80
PID 3060 wrote to memory of 3344	3060	805afeed0aee894d45da02b05c8141e94108a08870020ab707b1caeac920ed53.exe	80
PID 3060 wrote to memory of 664	3060	805afeed0aee894d45da02b05c8141e94108a08870020ab707b1caeac920ed53.exe	81
PID 3060 wrote to memory of 664	3060	805afeed0aee894d45da02b05c8141e94108a08870020ab707b1caeac920ed53.exe	81
PID 664 wrote to memory of 5068	664	cmd.exe	83
PID 664 wrote to memory of 5068	664	cmd.exe	83
PID 5068 wrote to memory of 4684	5068	net.exe	84
PID 5068 wrote to memory of 4684	5068	net.exe	84

C:\Users\Admin\AppData\Local\Temp\805afeed0aee894d45da02b05c8141e94108a08870020ab707b1caeac920ed53.exe
"C:\Users\Admin\AppData\Local\Temp\805afeed0aee894d45da02b05c8141e94108a08870020ab707b1caeac920ed53.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\security\window\Windows_Events.exe
  "C:\Windows\security\window\Windows_Events.exe" -i
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3344
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C net start "Windows Events"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\system32\net.exe
    net start "Windows Events"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start "Windows Events"
      4⤵
      PID:4684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\security\window\Windows_Events.exe

Filesize
19KB

MD5
209da7333a508c70f3c5a0535db2076d

SHA1
9296d0351a425178b843fdec9eb7b6b5e782ea36

SHA256
b43d3a805a3a0f5a066eb4300edf3c876760d90e99628e8dce325bcfde986a5f

SHA512
eeec9a1d6195f9dc9cf7d5f39f9e79344b8e2b052901574bba72f0e120bedb4c30750d217a4db4ed34ba3b15357aba9b6ae013f26eec046f75688d76f3ae3932

Download Submit
C:\Windows\security\window\Windows_Events.exe

Filesize
19KB

MD5
209da7333a508c70f3c5a0535db2076d

SHA1
9296d0351a425178b843fdec9eb7b6b5e782ea36

SHA256
b43d3a805a3a0f5a066eb4300edf3c876760d90e99628e8dce325bcfde986a5f

SHA512
eeec9a1d6195f9dc9cf7d5f39f9e79344b8e2b052901574bba72f0e120bedb4c30750d217a4db4ed34ba3b15357aba9b6ae013f26eec046f75688d76f3ae3932

Download Submit
memory/3060-132-0x00007FFFDE600000-0x00007FFFDF036000-memory.dmp

Filesize
10.2MB

Download
memory/3344-137-0x00007FFFDE600000-0x00007FFFDF036000-memory.dmp

Filesize
10.2MB

Download