de37eace50cff9383c17c9d817641e121ed172ef46bd9f86c5bc7af45aa6b27f

Analysis

max time kernel
186s
max time network
233s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de37eace50cff9383c17c9d817641e121ed172ef46bd9f86c5bc7af45aa6b27f.exe
Size

90KB
MD5

18d292c9617787d14bb9db1ac3e507c2
SHA1

2e305877b8bfc1437307c46ede53949c7a629eac
SHA256

de37eace50cff9383c17c9d817641e121ed172ef46bd9f86c5bc7af45aa6b27f
SHA512

6f8e12ffcb677a898908d822fd7f13b3a8fea8014bcf007c604f77fde45c3e810bb9f208a667489555ae3cf6a1f8346e51bbb04be47e54109dbb7b1674e44b8c
SSDEEP

1536:81dtGmlhGdz2IacJa3u9dfOv919D2AzKUvhWRx0q0cnfRCGRlfXVAG80x5gcR4+t:81dtGmlhGh2I43ubOvXt2I4Kq0cnjRlv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	de37eace50cff9383c17c9d817641e121ed172ef46bd9f86c5bc7af45aa6b27f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 3776	4248	de37eace50cff9383c17c9d817641e121ed172ef46bd9f86c5bc7af45aa6b27f.exe	84
PID 4248 wrote to memory of 3776	4248	de37eace50cff9383c17c9d817641e121ed172ef46bd9f86c5bc7af45aa6b27f.exe	84
PID 4248 wrote to memory of 3776	4248	de37eace50cff9383c17c9d817641e121ed172ef46bd9f86c5bc7af45aa6b27f.exe	84

C:\Users\Admin\AppData\Local\Temp\de37eace50cff9383c17c9d817641e121ed172ef46bd9f86c5bc7af45aa6b27f.exe
"C:\Users\Admin\AppData\Local\Temp\de37eace50cff9383c17c9d817641e121ed172ef46bd9f86c5bc7af45aa6b27f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Sxf..bat" > nul 2> nul
  2⤵
  PID:3776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sxf..bat

Filesize
274B

MD5
e451de372ebe51e657b1f37dcc2ecc76

SHA1
d810e0da66e6a48f4f33090c126d60247eb054bc

SHA256
7331c59075e108fd66b93472f9bf42498d5a0c6c422bb161816f6b2d8f6f1cc9

SHA512
fb1d9e96c57cc7887d1c8b89c64c2b1c768a191650aa8c0c87508f27fea389189872d23193f7869be80251de1422068e8b1ff3a4168b4b442f8a0244d0fa9659

Download Submit
memory/4248-132-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4248-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download