50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1

Analysis

max time kernel
192s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe
Size

404KB
MD5

609ea2509019e198c8c6a903dec1f738
SHA1

2148f0a807ce1ffbe0509340c20581dc81b5c5ca
SHA256

50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1
SHA512

f2a295b5f72a1af0579805da64710291b2cf98428ca5ee32beb032812ee7f0a40e0ca20115418c0d2943e4509363d9fe5e6311c904bc53250f4d9e5615f41065
SSDEEP

12288:BK2mhAMJ/cPlJYh0GNDCkCpsWndJXDYD4hY:w2O/GlJEDWndJTYsu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3092	servers.sfx.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3092	servers.sfx.exe
3092	servers.sfx.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 204 wrote to memory of 752	204	50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe	81
PID 204 wrote to memory of 752	204	50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe	81
PID 204 wrote to memory of 752	204	50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe	81
PID 752 wrote to memory of 3092	752	cmd.exe	84
PID 752 wrote to memory of 3092	752	cmd.exe	84
PID 752 wrote to memory of 3092	752	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe
"C:\Users\Admin\AppData\Local\Temp\50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\encrypter.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Users\Admin\AppData\Local\Temp\servers.sfx.exe
    Servers.sfx.exe -pabc123 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\encrypter.bat

Filesize
33B

MD5
cb433c4362646249333d790031a8e035

SHA1
5cf0888ee46a69c5924116ec19dfc6f2cbaa507b

SHA256
63e84b53b19a275a0c93fd15fba41f813b998b8daa0089bbb12eb6729922963e

SHA512
d8e90e9d031b1bd3a9ba7035cdcb0d219bf89b278c3d7460ba27518b579875a211d343379f8c0c1e8f05c867271993f3f12d471ac916df10e966f75b332e5374

Download Submit
C:\Users\Admin\AppData\Local\Temp\servers.sfx.exe

Filesize
350KB

MD5
e4285290f1ce7e9241a82092ae5d4c5e

SHA1
cb7eef2c96c183da62446134ef1e6df8ebeb9d10

SHA256
4702d2de6777bf2f3b0dab0df6f4b337941d23af85f8237a815f11087cbe64b3

SHA512
12d603f71bdb47fc9b2f99c5af1e1910a5a83f1a79b4cc32bb51c21c95a14426eaf48b0119d5658d80354710696c4c0f1c213d83f6bde5794a684695115b5354

Download Submit
C:\Users\Admin\AppData\Local\Temp\servers.sfx.exe

Filesize
350KB

MD5
e4285290f1ce7e9241a82092ae5d4c5e

SHA1
cb7eef2c96c183da62446134ef1e6df8ebeb9d10

SHA256
4702d2de6777bf2f3b0dab0df6f4b337941d23af85f8237a815f11087cbe64b3

SHA512
12d603f71bdb47fc9b2f99c5af1e1910a5a83f1a79b4cc32bb51c21c95a14426eaf48b0119d5658d80354710696c4c0f1c213d83f6bde5794a684695115b5354

Download Submit
memory/752-132-0x0000000000000000-mapping.dmp

Download
memory/3092-134-0x0000000000000000-mapping.dmp

Download