dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049

Analysis

max time kernel
132s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe
Size

160KB
MD5

93890e6894dd7ccc8f0bad1cd9775a0a
SHA1

2626f5be581ea9578eb644750b9b28d735baa92a
SHA256

dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049
SHA512

170d810d5f4a16ec6095d697e9718aade2b31582e4eaffc2c0ec8ea9e09413e277c286ea34bd30b08be73278d792b575681a993d22014c9edc1141a87824ff63
SSDEEP

3072:jofpVwLoZZVMrawVeoDrxmcRJ4Cl2w8/cF:jCpSmJw79RJ4ClsC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5020	calc.exe
2080	notepad.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system3200041B5D	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe
File created	C:\Windows\system32calc.exe	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe
File created	C:\Windows\system32notepad.exe	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe
File created	C:\Windows\system320E573846	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 5020	4064	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe	79
PID 4064 wrote to memory of 5020	4064	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe	79
PID 4064 wrote to memory of 5020	4064	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe	79
PID 4064 wrote to memory of 2080	4064	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe	80
PID 4064 wrote to memory of 2080	4064	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe	80
PID 4064 wrote to memory of 2080	4064	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe	80

C:\Users\Admin\AppData\Local\Temp\dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe
"C:\Users\Admin\AppData\Local\Temp\dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\calc.exe
  "C:\Users\Admin\AppData\Local\Temp\calc.exe"
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\notepad.exe
  "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
  2⤵
  - Executes dropped EXE
  PID:2080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\calc.exe

Filesize
112KB

MD5
e3fcb903305f8ee5551ea66f5c096737

SHA1
84c1f3baae1cc0746c7f17c255e72ecd1baf63c4

SHA256
228cd209855d76c02cd42dd14e5726b1b55598004864dc034a5943d34310feb8

SHA512
efa198c851858ed7569a714d879f8eb8d6516b71decf3aef9a2c6268d40c835ef03ec3836f41b23684c47e4fdb6e92c282075b5e2a3661408ae80866efaea9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\calc.exe

Filesize
112KB

MD5
e3fcb903305f8ee5551ea66f5c096737

SHA1
84c1f3baae1cc0746c7f17c255e72ecd1baf63c4

SHA256
228cd209855d76c02cd42dd14e5726b1b55598004864dc034a5943d34310feb8

SHA512
efa198c851858ed7569a714d879f8eb8d6516b71decf3aef9a2c6268d40c835ef03ec3836f41b23684c47e4fdb6e92c282075b5e2a3661408ae80866efaea9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
65KB

MD5
c9f225f98574759e377bce6d87958c9c

SHA1
3a23ac5865ea5ac89d87b4219646a1cee5820ac1

SHA256
7834f55bcff4d30d7b778bceea618cfd23cf4f184f7db6b74d1b49bbcf6c0560

SHA512
d9ffd8ba019cde8e7d71b6c208f2b949e271527373458fee48e461e49ff096d32361d372a48aaa84b153847dd75c79a99e23f8fa450c888aae180bb3e2dc4c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
65KB

MD5
c9f225f98574759e377bce6d87958c9c

SHA1
3a23ac5865ea5ac89d87b4219646a1cee5820ac1

SHA256
7834f55bcff4d30d7b778bceea618cfd23cf4f184f7db6b74d1b49bbcf6c0560

SHA512
d9ffd8ba019cde8e7d71b6c208f2b949e271527373458fee48e461e49ff096d32361d372a48aaa84b153847dd75c79a99e23f8fa450c888aae180bb3e2dc4c1b

Download Submit