8d634ce71854ef7260c4ae24f9099401cd171084ed409c82f63abb9c53bafbd7

Analysis

max time kernel
167s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d634ce71854ef7260c4ae24f9099401cd171084ed409c82f63abb9c53bafbd7.exe
Size

93KB
MD5

92ff0141f2dc83f5acc041e62b6c7443
SHA1

23e5e32e1f29b56c247a1d5a729e50a6ac690b51
SHA256

8d634ce71854ef7260c4ae24f9099401cd171084ed409c82f63abb9c53bafbd7
SHA512

f8f0f62316b687a5328ec2020c6238f772931ca25518d22503400a4fcf6632315a60331178892da418125e51fba66eafcf8b1ffda88a508331461a6e9f1475ce
SSDEEP

1536:OmGCGKcXpUwbTZ2m0issAmGvyYT6HCBvO1rM+kS2PCqEgJMc3kdkMMckgQlm5+X9:DGDZvbd2XnstG6YT6iqA+kPCq/JMclMe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	8d634ce71854ef7260c4ae24f9099401cd171084ed409c82f63abb9c53bafbd7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 3040	4332	8d634ce71854ef7260c4ae24f9099401cd171084ed409c82f63abb9c53bafbd7.exe	78
PID 4332 wrote to memory of 3040	4332	8d634ce71854ef7260c4ae24f9099401cd171084ed409c82f63abb9c53bafbd7.exe	78
PID 4332 wrote to memory of 3040	4332	8d634ce71854ef7260c4ae24f9099401cd171084ed409c82f63abb9c53bafbd7.exe	78

C:\Users\Admin\AppData\Local\Temp\8d634ce71854ef7260c4ae24f9099401cd171084ed409c82f63abb9c53bafbd7.exe
"C:\Users\Admin\AppData\Local\Temp\8d634ce71854ef7260c4ae24f9099401cd171084ed409c82f63abb9c53bafbd7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ufp..bat" > nul 2> nul
  2⤵
  PID:3040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ufp..bat

Filesize
274B

MD5
13618bbead2a45335e1926678fa7dc68

SHA1
347f785bd18b99dfedef5254b2288088e9987731

SHA256
ac9d0e293d6912d05d03d8d5355c4f9a8469f7e62deec782569a91bd418914cc

SHA512
1a9a4afd237eb77b63d3fc3a04233baa25f8456f31e4fff9028be787433b1af479ae96e1caca22e8ba76d79b1ef79e3ec23c91da8804f589de20febb2bb0ac5a

Download Submit
memory/3040-133-0x0000000000000000-mapping.dmp

Download
memory/4332-132-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4332-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download