8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e

Analysis

max time kernel
321s
max time network
343s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe
Size

257KB
MD5

d1684b36d2fcc59f479c7bc2b016fe68
SHA1

6c99aa9f85e52f36a3b2a30ee134af62e63cae4f
SHA256

8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e
SHA512

7d1d89d856cc0f29ef346776fb25fed5210b05c4f79bc3298225e23456a5c98f722da6efa7474e60b6ca5de9509ff276c7827637f84101d26e4b751abbdbea54
SSDEEP

3072:2zqDfnQogw8u6FIJp+fsSmJU8zhrLH/s:2unQZRFSp+fsVU8zhrA

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

2222.exe

pid process

1124 2222.exe

pid	process
1124	2222.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2222.exe

pid process

1124 2222.exe
1124 2222.exe
1124 2222.exe
1124 2222.exe

pid	process
1124	2222.exe
1124	2222.exe
1124	2222.exe
1124	2222.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe2222.exe

description	pid	process	target process
PID 3472 wrote to memory of 1124	3472	8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe	2222.exe
PID 3472 wrote to memory of 1124	3472	8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe	2222.exe
PID 3472 wrote to memory of 1124	3472	8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe	2222.exe
PID 1124 wrote to memory of 2808	1124	2222.exe	Explorer.EXE
PID 1124 wrote to memory of 2808	1124	2222.exe	Explorer.EXE
PID 1124 wrote to memory of 2808	1124	2222.exe	Explorer.EXE
PID 1124 wrote to memory of 2808	1124	2222.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe
"C:\Users\Admin\AppData\Local\Temp\8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3472

C:\Users\Admin\AppData\Local\Temp\2222.exe
"C:\Users\Admin\AppData\Local\Temp\2222.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2222.exe
Filesize
88KB

MD5
fa0950aa860c11e910b13e9b4bdc6535

SHA1
db84d0260db987087d6752ff24a867fc4873c90e

SHA256
abe90dc1153b73c2d0a06692dcbb0e01b8132d9cc5527895945c47273ff1ada0

SHA512
5fe93d5b97fccc092c06535401ae8a8464a5b6bf7293a63edb96eefcc37c07ddcc34513432926a15b5f437851efb47abcdb759ebb0bcf041d53dd48e44b00716

Download Submit
C:\Users\Admin\AppData\Local\Temp\2222.exe
Filesize
88KB

MD5
fa0950aa860c11e910b13e9b4bdc6535

SHA1
db84d0260db987087d6752ff24a867fc4873c90e

SHA256
abe90dc1153b73c2d0a06692dcbb0e01b8132d9cc5527895945c47273ff1ada0

SHA512
5fe93d5b97fccc092c06535401ae8a8464a5b6bf7293a63edb96eefcc37c07ddcc34513432926a15b5f437851efb47abcdb759ebb0bcf041d53dd48e44b00716

Download Submit
memory/1124-132-0x0000000000000000-mapping.dmp

Download
memory/1124-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1124-137-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1124-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-136-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download