7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e

General

Target

7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe
Size

7KB
MD5

050771756ad083aa8ab86deb6dea78a4
SHA1

0e2c8d2a1b2f9006909c3900e9d7f46dfe038fda
SHA256

7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e
SHA512

a7dd7706880400fd4289843476f725fc2aa310b0cb499276f3156332c6deab1e071d1a5680f241a24cf4220916748469211496585d4051517c7bcdb0dd2eeead
SSDEEP

96:pnyFk7yW3tT+lPb3T3HFxphq7W/aVW9l3uWaDLeBomj++g:4Fk7yW9TWb3TVxpk7Wy8aDLI/++g

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 5 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1264	ipconfig.exe
1768	ipconfig.exe
1352	ipconfig.exe
1564	ipconfig.exe
1480	ipconfig.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 1480	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	28
PID 628 wrote to memory of 1480	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	28
PID 628 wrote to memory of 1480	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	28
PID 628 wrote to memory of 1480	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	28
PID 628 wrote to memory of 1264	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	29
PID 628 wrote to memory of 1264	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	29
PID 628 wrote to memory of 1264	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	29
PID 628 wrote to memory of 1264	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	29
PID 628 wrote to memory of 1768	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	31
PID 628 wrote to memory of 1768	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	31
PID 628 wrote to memory of 1768	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	31
PID 628 wrote to memory of 1768	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	31
PID 628 wrote to memory of 1352	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	33
PID 628 wrote to memory of 1352	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	33
PID 628 wrote to memory of 1352	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	33
PID 628 wrote to memory of 1352	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	33
PID 628 wrote to memory of 1564	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	34
PID 628 wrote to memory of 1564	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	34
PID 628 wrote to memory of 1564	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	34
PID 628 wrote to memory of 1564	628	7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe	34

C:\Users\Admin\AppData\Local\Temp\7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe
"C:\Users\Admin\AppData\Local\Temp\7400ee6ab57ae571f6088248db88c4e92e1f05fa8dd75204f59b33b66b1e1c5e.exe"
1⤵
- Checks computer location settings
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe" /flushdns
  2⤵
  - Gathers network information
  PID:1480
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe" /registerdns
  2⤵
  - Gathers network information
  PID:1264
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe" /dnsflush
  2⤵
  - Gathers network information
  PID:1768
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe" /renew
  2⤵
  - Gathers network information
  PID:1352
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe" /renew_all
  2⤵
  - Gathers network information
  PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/628-55-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/628-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/628-62-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads