744575435e68e8b5fe951d951dfed37a24b4e97601c4ec84a9fe3d0e63882d9b

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

744575435e68e8b5fe951d951dfed37a24b4e97601c4ec84a9fe3d0e63882d9b.exe
Size

1.3MB
MD5

c9e071b18ca0aea0a89ebf0943f80e53
SHA1

8a22d1362983177821f3e2cdf8eed980777a72f9
SHA256

744575435e68e8b5fe951d951dfed37a24b4e97601c4ec84a9fe3d0e63882d9b
SHA512

bfd6f017ae605110bbd3dcd18516cc82a241bb0a146282d82b472c6ca25e897a04f93bf85fd6eb940e0aeabcc3fdb1e34eb61311829ca61bc52351f873c7f016
SSDEEP

24576:mbwlgdC2aus8fZHu/B6S+xWNU73Za15QQS6UEbk73HYLA:mD8cS0uqJj0bk73HYLA

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3376	service.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	744575435e68e8b5fe951d951dfed37a24b4e97601c4ec84a9fe3d0e63882d9b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe
3376	service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 3376	3912	744575435e68e8b5fe951d951dfed37a24b4e97601c4ec84a9fe3d0e63882d9b.exe	76
PID 3912 wrote to memory of 3376	3912	744575435e68e8b5fe951d951dfed37a24b4e97601c4ec84a9fe3d0e63882d9b.exe	76
PID 3912 wrote to memory of 3376	3912	744575435e68e8b5fe951d951dfed37a24b4e97601c4ec84a9fe3d0e63882d9b.exe	76
PID 3912 wrote to memory of 2004	3912	744575435e68e8b5fe951d951dfed37a24b4e97601c4ec84a9fe3d0e63882d9b.exe	78
PID 3912 wrote to memory of 2004	3912	744575435e68e8b5fe951d951dfed37a24b4e97601c4ec84a9fe3d0e63882d9b.exe	78
PID 3912 wrote to memory of 2004	3912	744575435e68e8b5fe951d951dfed37a24b4e97601c4ec84a9fe3d0e63882d9b.exe	78

C:\Users\Admin\AppData\Local\Temp\744575435e68e8b5fe951d951dfed37a24b4e97601c4ec84a9fe3d0e63882d9b.exe
"C:\Users\Admin\AppData\Local\Temp\744575435e68e8b5fe951d951dfed37a24b4e97601c4ec84a9fe3d0e63882d9b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Users\Admin\AppData\Local\Temp\tmpFWS_\service.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpFWS_\service.exe" service tmpFWS_
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$Windows$$.bat
  2⤵
  PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$Windows$$.bat

Filesize
248B

MD5
e5f888b7423a79cdde9c730f7502a600

SHA1
9d51f9d7dfd90f6ccd3d84f35df66c4f19da9b79

SHA256
4f8307870959feca4361424b3883e02e45d8da7b21aeb2ee4e472709bf071f68

SHA512
6d04c565f69d1f3521a88f524bd40078a3d1c7424092802b8e70f6a397fa1ebc3046606518fbd745e7ad9bd916c0ee6166b0c571508347c23c6bd1a06e61acb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFWS_\service.exe

Filesize
1.3MB

MD5
c9e071b18ca0aea0a89ebf0943f80e53

SHA1
8a22d1362983177821f3e2cdf8eed980777a72f9

SHA256
744575435e68e8b5fe951d951dfed37a24b4e97601c4ec84a9fe3d0e63882d9b

SHA512
bfd6f017ae605110bbd3dcd18516cc82a241bb0a146282d82b472c6ca25e897a04f93bf85fd6eb940e0aeabcc3fdb1e34eb61311829ca61bc52351f873c7f016

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFWS_\service.exe

Filesize
1.3MB

MD5
c9e071b18ca0aea0a89ebf0943f80e53

SHA1
8a22d1362983177821f3e2cdf8eed980777a72f9

SHA256
744575435e68e8b5fe951d951dfed37a24b4e97601c4ec84a9fe3d0e63882d9b

SHA512
bfd6f017ae605110bbd3dcd18516cc82a241bb0a146282d82b472c6ca25e897a04f93bf85fd6eb940e0aeabcc3fdb1e34eb61311829ca61bc52351f873c7f016

Download Submit