a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39

Analysis

max time kernel
146s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39.exe
Size

893KB
MD5

50adf141d9b921d22c50dfdb202d4544
SHA1

e27835cd542d5c6d550f00efb7c2e25f5e791835
SHA256

a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39
SHA512

588e19228190b0d1f5b632df686bd26e78731dcb0472f1f46c2b3d0d9fd0c8537a0187ce3ff4f1d9a016e72bbaf335a11a149d32d4ed37d91a726320ea366272
SSDEEP

12288:Wzj0D9bO3rTtg3xNGNboQtCyGOy9IAGNmt187tZp9oe1aKNvETo+johds7barLGb:WWTKMQtCypy9IvmAro8+Ehds7ULh6J

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1488	tazecik.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	tazecik.exe
Token: 33	1488	tazecik.exe
Token: SeIncBasePriorityPrivilege	1488	tazecik.exe
Token: 33	1488	tazecik.exe
Token: SeIncBasePriorityPrivilege	1488	tazecik.exe
Token: 33	1488	tazecik.exe
Token: SeIncBasePriorityPrivilege	1488	tazecik.exe
Token: 33	1488	tazecik.exe
Token: SeIncBasePriorityPrivilege	1488	tazecik.exe
Token: 33	1488	tazecik.exe
Token: SeIncBasePriorityPrivilege	1488	tazecik.exe
Token: 33	1488	tazecik.exe
Token: SeIncBasePriorityPrivilege	1488	tazecik.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1264	1076	a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39.exe	81
PID 1076 wrote to memory of 1264	1076	a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39.exe	81
PID 1076 wrote to memory of 1264	1076	a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39.exe	81
PID 1264 wrote to memory of 1488	1264	cmd.exe	84
PID 1264 wrote to memory of 1488	1264	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39.exe
"C:\Users\Admin\AppData\Local\Temp\a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B868.tmp\launch.bat" C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\B868.tmp\tazecik.exe
    tazecik.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B868.tmp\launch.bat

Filesize
28B

MD5
f73b14375c0763929b083a71a42fe5ab

SHA1
dc8f5cecc56ee0e497c22d91f3acd87e1416e014

SHA256
524e66a16be2b09c344bb863033c83f5f9b482a5db1bca780e31e72394fb55a6

SHA512
d3b582a811f95d96a6e1b638de0ba9d46b0fc0bd43828310046d4a7f70d1ced839e2ce6db99f29eff369242ecaab110c848a6ffba28c5a1786f514e368787b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\B868.tmp\tazecik.exe

Filesize
45KB

MD5
2b57b0001db944d425d6e86e672be28d

SHA1
a2a6a49329e94ff65faa9894e2cc84422af86740

SHA256
2956ef6d934f757b1da830811d32efa510c8a9ac04dba12b5958f875fcae101b

SHA512
891429373df0d7571d79b9873bbf14a2e01890ab8e66f4f072c1cd651ca81b074d6f46213ac4f7f37738d64a5a60f9068a98c5210a6f8018f905bd124f88725a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B868.tmp\tazecik.exe

Filesize
45KB

MD5
2b57b0001db944d425d6e86e672be28d

SHA1
a2a6a49329e94ff65faa9894e2cc84422af86740

SHA256
2956ef6d934f757b1da830811d32efa510c8a9ac04dba12b5958f875fcae101b

SHA512
891429373df0d7571d79b9873bbf14a2e01890ab8e66f4f072c1cd651ca81b074d6f46213ac4f7f37738d64a5a60f9068a98c5210a6f8018f905bd124f88725a

Download Submit
memory/1076-132-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1076-138-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1488-139-0x00007FFE347D0000-0x00007FFE35206000-memory.dmp

Filesize
10.2MB

Download
memory/1488-140-0x000000000102A000-0x000000000102F000-memory.dmp

Filesize
20KB

Download
memory/1488-141-0x000000000102A000-0x000000000102F000-memory.dmp

Filesize
20KB

Download