Analysis
-
max time kernel
185s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 05:05
Static task
static1
Behavioral task
behavioral1
Sample
85baadccd43a7ac956c499e2b1d6af382001b9c49591faa8a71677f540dd64ff.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
85baadccd43a7ac956c499e2b1d6af382001b9c49591faa8a71677f540dd64ff.exe
Resource
win10v2004-20221111-en
General
-
Target
85baadccd43a7ac956c499e2b1d6af382001b9c49591faa8a71677f540dd64ff.exe
-
Size
112KB
-
MD5
84b6c4e328352dcc27e38229a3035554
-
SHA1
d14807513cd880dbd08efedcb294f5f21ec8f10d
-
SHA256
85baadccd43a7ac956c499e2b1d6af382001b9c49591faa8a71677f540dd64ff
-
SHA512
9b67c2c3bb013c2385377ec479b765a0cab8d4368f0779f59e8e89b2bb27f83e08362551bd972a7080c90428c603c5f92c67be95767fccf0f1b45d51b05a5d6e
-
SSDEEP
1536:z6znpBYnLkVhMZsY5937UOJM/Wv3mseoTWFfQRgXbsNthnZVdRlITJxATX78Dm/B:2OUoQoiidRyzATYEcpX8wtO6R8yG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 85baadccd43a7ac956c499e2b1d6af382001b9c49591faa8a71677f540dd64ff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4576 85baadccd43a7ac956c499e2b1d6af382001b9c49591faa8a71677f540dd64ff.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4576 wrote to memory of 1528 4576 85baadccd43a7ac956c499e2b1d6af382001b9c49591faa8a71677f540dd64ff.exe 83 PID 4576 wrote to memory of 1528 4576 85baadccd43a7ac956c499e2b1d6af382001b9c49591faa8a71677f540dd64ff.exe 83 PID 4576 wrote to memory of 1528 4576 85baadccd43a7ac956c499e2b1d6af382001b9c49591faa8a71677f540dd64ff.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\85baadccd43a7ac956c499e2b1d6af382001b9c49591faa8a71677f540dd64ff.exe"C:\Users\Admin\AppData\Local\Temp\85baadccd43a7ac956c499e2b1d6af382001b9c49591faa8a71677f540dd64ff.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Rdb..bat" > nul 2> nul2⤵PID:1528
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274B
MD533ad47160c33e228edfc9ac37f37d6b4
SHA1e5605f59dbeff6eaf832b546d5d618013650dfb3
SHA2565da72ccdc30083447d93aa517a74d6aaf2f2a6a7475306602b4eafe2d03d03f1
SHA5125c7726fb052ca6e99881d57d548a2dca84d7a6d3dd33686554aba4d6e0a95a1de04c2804fa667931e4bd79703cd9dcdc286262aa4a714cac6ca936e1af7edb2d