f021bf183836db9859b6708358aeef7bd326cfd0d14f0e01a700472b2e22782f

Analysis

max time kernel
189s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f021bf183836db9859b6708358aeef7bd326cfd0d14f0e01a700472b2e22782f.exe
Size

810KB
MD5

b34dafaebea8d84cbf8dedea70289c39
SHA1

7d0befad7a5cdf380ea4a8b7f83f4b16b51c27cf
SHA256

f021bf183836db9859b6708358aeef7bd326cfd0d14f0e01a700472b2e22782f
SHA512

11d4c38a78d1c2103682b7da2effbf9d8a249950055a54eff8410d2281a8aae3d9f5a176224c3e31cec0118ab74c31f46849845b078aab150576da616819c8b1
SSDEEP

24576:7utr5OUStA6UwSBXzenxiy6ljnYxP7NTmiME/zDc2eAdqXtxUa:7uXgDUwSBXaxYsxNTmyc8dixp

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1404	setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	f021bf183836db9859b6708358aeef7bd326cfd0d14f0e01a700472b2e22782f.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setup.exe	f021bf183836db9859b6708358aeef7bd326cfd0d14f0e01a700472b2e22782f.exe
File created	C:\Windows\run.exe	f021bf183836db9859b6708358aeef7bd326cfd0d14f0e01a700472b2e22782f.exe
File opened for modification	C:\Windows\run.exe	f021bf183836db9859b6708358aeef7bd326cfd0d14f0e01a700472b2e22782f.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240605781	f021bf183836db9859b6708358aeef7bd326cfd0d14f0e01a700472b2e22782f.exe
File created	C:\Windows\setup.exe	f021bf183836db9859b6708358aeef7bd326cfd0d14f0e01a700472b2e22782f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 1404	4004	f021bf183836db9859b6708358aeef7bd326cfd0d14f0e01a700472b2e22782f.exe	83
PID 4004 wrote to memory of 1404	4004	f021bf183836db9859b6708358aeef7bd326cfd0d14f0e01a700472b2e22782f.exe	83
PID 4004 wrote to memory of 1404	4004	f021bf183836db9859b6708358aeef7bd326cfd0d14f0e01a700472b2e22782f.exe	83

C:\Users\Admin\AppData\Local\Temp\f021bf183836db9859b6708358aeef7bd326cfd0d14f0e01a700472b2e22782f.exe
"C:\Users\Admin\AppData\Local\Temp\f021bf183836db9859b6708358aeef7bd326cfd0d14f0e01a700472b2e22782f.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Windows\setup.exe
  "C:\Windows\setup.exe"
  2⤵
  - Executes dropped EXE
  PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\setup.exe

Filesize
788KB

MD5
82ec7dcc8d7c2d3e0aa19a49fd7117b5

SHA1
73c1c3de00abcdd3954bd19235a27d654e26a131

SHA256
362596e2927ab58db2dde214449d15384c1065ee602f62560000b8b1edb23292

SHA512
b67444b7d6e7a528ea4fcdb1424c1d666ec911f8323b7dbd2ede0cf9792a1fe2c00949243e9e1f947f8e9cf4504fa740e2aadac8a13a232a03eb51ba09bdca5c

Download Submit
C:\Windows\setup.exe

Filesize
788KB

MD5
82ec7dcc8d7c2d3e0aa19a49fd7117b5

SHA1
73c1c3de00abcdd3954bd19235a27d654e26a131

SHA256
362596e2927ab58db2dde214449d15384c1065ee602f62560000b8b1edb23292

SHA512
b67444b7d6e7a528ea4fcdb1424c1d666ec911f8323b7dbd2ede0cf9792a1fe2c00949243e9e1f947f8e9cf4504fa740e2aadac8a13a232a03eb51ba09bdca5c

Download Submit