Analysis
-
max time kernel
190s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 19:03
Static task
static1
Behavioral task
behavioral1
Sample
e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe
-
Size
124KB
-
MD5
a11abd7c806ff8fa6abd964ab8a9ead4
-
SHA1
9b71932614aa05222bf7211d8fe103d27552b85f
-
SHA256
e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8
-
SHA512
25d60c8ba4ebb78bcbf18a2b0b09f4697b3899fce2f40d672c6fee0a3ad3f3eefe2ec9421004b23cb1dd4ba189d2ab08448c5840eaa6f2d7a0cb64f81eaa7a47
-
SSDEEP
1536:bF5FlScArPVllrvwJRyQ233YHrXAVODPCSrPD4eJNp1pMVIRBCfOTHDAgcrAZoNn:bBlScu3DPJ
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2448-135-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/2448-137-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/2448-138-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/2448-139-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2068 set thread context of 2448 2068 e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2068 e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2448 2068 e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe 82 PID 2068 wrote to memory of 2448 2068 e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe 82 PID 2068 wrote to memory of 2448 2068 e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe 82 PID 2068 wrote to memory of 2448 2068 e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe 82 PID 2068 wrote to memory of 2448 2068 e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe 82 PID 2068 wrote to memory of 2448 2068 e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe 82 PID 2068 wrote to memory of 2448 2068 e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe 82 PID 2068 wrote to memory of 2448 2068 e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe 82 PID 2068 wrote to memory of 1780 2068 e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe 83 PID 2068 wrote to memory of 1780 2068 e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe 83 PID 2068 wrote to memory of 1780 2068 e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe"C:\Users\Admin\AppData\Local\Temp\e6f578ab34c42c92ed26fc0fe0e9b914494cbda08ef1b2a27873f886bdc667d8.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2448
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a.bat" "2⤵PID:1780
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176B
MD5a0e81a894cff03648a99aa69597200f4
SHA14661e23da77233793555b0275f12f293a8663cdc
SHA256c86e9fd5e7727f42e7616157e09c72aad14ddb05839f295b6adf635627633cee
SHA512f1ce6f89afd6a26379198695dd060ba5c5422632647f45ef28ca1aa6a7ff857db8970041fd19c21e634d82f346c95c86bf68e3261290cbae5c85590bbf590095