12f8767c2e3364080e4b88fca23f5a4db2f35bcd968f300b04ccee55495247ba

Analysis

max time kernel
186s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12f8767c2e3364080e4b88fca23f5a4db2f35bcd968f300b04ccee55495247ba.exe
Size

162KB
MD5

0203dc28a630e1a21744690c0417a809
SHA1

98f2e9871fdf80fbc5e220db2b66339e89dea72b
SHA256

12f8767c2e3364080e4b88fca23f5a4db2f35bcd968f300b04ccee55495247ba
SHA512

2f86c7a0b057b48f969581725837971c3150dca974bce2c9b0fac1b3b8559674140caecdbdba4a03a2e069ff32de61cdcf1475026f454676734e6b3747d2bcda
SSDEEP

3072:OCWroGFYOrZX5UWThz0b+caIUA4UrGA5TZXqTyyLm:z8JNNnXIUVYbCyyy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	12f8767c2e3364080e4b88fca23f5a4db2f35bcd968f300b04ccee55495247ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3556	2680	WerFault.exe	80
1448	2680	WerFault.exe	80

Runs .reg file with regedit 1 IoCs

pid	Process
4940	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2680	12f8767c2e3364080e4b88fca23f5a4db2f35bcd968f300b04ccee55495247ba.exe
2680	12f8767c2e3364080e4b88fca23f5a4db2f35bcd968f300b04ccee55495247ba.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 4168	2680	12f8767c2e3364080e4b88fca23f5a4db2f35bcd968f300b04ccee55495247ba.exe	82
PID 2680 wrote to memory of 4168	2680	12f8767c2e3364080e4b88fca23f5a4db2f35bcd968f300b04ccee55495247ba.exe	82
PID 2680 wrote to memory of 4168	2680	12f8767c2e3364080e4b88fca23f5a4db2f35bcd968f300b04ccee55495247ba.exe	82
PID 4168 wrote to memory of 4940	4168	regedt32.exe	83
PID 4168 wrote to memory of 4940	4168	regedt32.exe	83
PID 4168 wrote to memory of 4940	4168	regedt32.exe	83

C:\Users\Admin\AppData\Local\Temp\12f8767c2e3364080e4b88fca23f5a4db2f35bcd968f300b04ccee55495247ba.exe
"C:\Users\Admin\AppData\Local\Temp\12f8767c2e3364080e4b88fca23f5a4db2f35bcd968f300b04ccee55495247ba.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\regedt32.exe
  "C:\Windows\System32\regedt32.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1020
  2⤵
  - Program crash
  PID:3556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 592
  2⤵
  - Program crash
  PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2680 -ip 2680
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2680 -ip 2680
1⤵
PID:2660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Iterra\T03emp03.reg

Filesize
217B

MD5
66fa4768f897377bbe2433814cea4c40

SHA1
e9e9880735af5e2a5e22900782c7dfda18cc9396

SHA256
0ccffdd3550f22030967033bf7daaf4e6d39bc552f2ed64c9031c1214d825bae

SHA512
7a61474baa02ab7203e75f790cf6fd15c63be53fea2e30b7cd3702af47eaabed2a5b510c88cbf65ca67df172f412c8eb04f3b622e5a8b170d88f57fc7581cec9

Download Submit
memory/2680-132-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2680-133-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2680-137-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2680-138-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download