b5ec7008e1c20a565e6d7da541964a97760c999ed12ba44b3203f44f7fc2309a

Analysis

max time kernel
176s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5ec7008e1c20a565e6d7da541964a97760c999ed12ba44b3203f44f7fc2309a.exe
Size

28KB
MD5

48bef9666e05538483d9e4220db782f7
SHA1

685141d4c3279d61d0b51978a4c2039a4e0ef6ff
SHA256

b5ec7008e1c20a565e6d7da541964a97760c999ed12ba44b3203f44f7fc2309a
SHA512

3fd9046dd5da71f305a34b8c549079c3cdd90086542d1f90812fed71366396d361d81813aab9376322cd3d69d41278711076f48cbee07fd8656b0a17c9202aed
SSDEEP

384:lbfxPD2sUJk7EaYk2D5ILG9tRK0VS5kPViapJ8b06ixyt5o8sO9/V+3QpTOZEsjI:ltFUJVaYb9nVVbUqDFJO9I32gnaCx54

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3908-132-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/3908-133-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/3908-135-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b5ec7008e1c20a565e6d7da541964a97760c999ed12ba44b3203f44f7fc2309a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 4120	3908	b5ec7008e1c20a565e6d7da541964a97760c999ed12ba44b3203f44f7fc2309a.exe	79
PID 3908 wrote to memory of 4120	3908	b5ec7008e1c20a565e6d7da541964a97760c999ed12ba44b3203f44f7fc2309a.exe	79
PID 3908 wrote to memory of 4120	3908	b5ec7008e1c20a565e6d7da541964a97760c999ed12ba44b3203f44f7fc2309a.exe	79

C:\Users\Admin\AppData\Local\Temp\b5ec7008e1c20a565e6d7da541964a97760c999ed12ba44b3203f44f7fc2309a.exe
"C:\Users\Admin\AppData\Local\Temp\b5ec7008e1c20a565e6d7da541964a97760c999ed12ba44b3203f44f7fc2309a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\a..bat" > nul 2> nul
  2⤵
  PID:4120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a..bat

Filesize
274B

MD5
ed55b9a1b758b6a538484342e770a707

SHA1
e9020da3f53b763859e1e5c18db4be58cb96292c

SHA256
b12b0a1ae680f2bd51cd66cc873d52a0cdce297e28a685f83deb5f3de622d335

SHA512
8bcbdb8418fbf847ed9e28accc0bf755ad402fd164fc85937e5026e635cc8b9688fffcd87c9dce9f98ad598a41bac836cb6d5bf7161362842f79abacf8fbe8bd

Download Submit
memory/3908-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3908-133-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3908-135-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download