8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272

Analysis

max time kernel
153s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe
Size

38KB
MD5

b1bf72c9c9bfc9b16f0bba3135de8377
SHA1

a83c333d22d3e440a4a57cc03ea1318c35573853
SHA256

8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272
SHA512

b4062697d47415b7475f2c756b1671a14b4945621202311b97a782aea1f2acb5fa900ce37940ac7aa8d038a9bcbc633e9bcc2bb2a8838b1422377e3cd43a8584
SSDEEP

768:9VO48tURyrl6iaLcuR+G7UxFEtTJFFXC3CKegOP:O4QUIrl3a5RCxOHFy3dC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3400	decrypted.exe
4160	decrypted.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5076	4160	WerFault.exe	84

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4576	8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 3400	4576	8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe	83
PID 4576 wrote to memory of 3400	4576	8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe	83
PID 4576 wrote to memory of 3400	4576	8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe	83
PID 3400 wrote to memory of 4160	3400	decrypted.exe	84
PID 3400 wrote to memory of 4160	3400	decrypted.exe	84
PID 3400 wrote to memory of 4160	3400	decrypted.exe	84

C:\Users\Admin\AppData\Local\Temp\8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe
"C:\Users\Admin\AppData\Local\Temp\8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\Temp\decrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\decrypted.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Users\Admin\AppData\Local\Temp\decrypted.exe
    StubPath
    3⤵
    - Executes dropped EXE
    PID:4160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 464
      4⤵
      Program crash
      PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4160 -ip 4160
1⤵
PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\decrypted.exe

Filesize
18KB

MD5
b6c14514b988e297c03f0019dd120f5c

SHA1
de0e8a847866e5bd33bfe18df1a5de6668c624d0

SHA256
ef572c4809c415f36959f1b7435bb665b7eca83d6dd42450ddbc1c78bc205a77

SHA512
bafbffdac3523e52f5ee079a85800c1bcec10a9d2559ff1517a87835bede61c1950814d7df442e6da698d35adaa36f5ce1c1e7a15264d3238d254649193582d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\decrypted.exe

Filesize
18KB

MD5
b6c14514b988e297c03f0019dd120f5c

SHA1
de0e8a847866e5bd33bfe18df1a5de6668c624d0

SHA256
ef572c4809c415f36959f1b7435bb665b7eca83d6dd42450ddbc1c78bc205a77

SHA512
bafbffdac3523e52f5ee079a85800c1bcec10a9d2559ff1517a87835bede61c1950814d7df442e6da698d35adaa36f5ce1c1e7a15264d3238d254649193582d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\decrypted.exe

Filesize
18KB

MD5
b6c14514b988e297c03f0019dd120f5c

SHA1
de0e8a847866e5bd33bfe18df1a5de6668c624d0

SHA256
ef572c4809c415f36959f1b7435bb665b7eca83d6dd42450ddbc1c78bc205a77

SHA512
bafbffdac3523e52f5ee079a85800c1bcec10a9d2559ff1517a87835bede61c1950814d7df442e6da698d35adaa36f5ce1c1e7a15264d3238d254649193582d5

Download Submit