b3eddfc58cff887b966742f222c55e95d08386a46a2ebf1af37aea86020de2b9

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3eddfc58cff887b966742f222c55e95d08386a46a2ebf1af37aea86020de2b9.exe
Size

167KB
MD5

93cf35d6c0c686536fec20cd7436c95c
SHA1

914ae5d2bbe64c4d421af9001e2015cc003bc395
SHA256

b3eddfc58cff887b966742f222c55e95d08386a46a2ebf1af37aea86020de2b9
SHA512

e080a0fc7b2a5375cc9fe84556ddab3395068fa19d75979d45115ecc8dbdbe4d97d82971706a7e73b194b10d4963eda5eb01f10a65df696588e58537e82ebca4
SSDEEP

3072:H/sD+8FsYXucsMyPO2IRnL1HSnM5Bs0YreSh6NAnwOc:fv8FsY+cFyG5HSMtYpwGwn

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2916	92351.exe
2428	89213.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	b3eddfc58cff887b966742f222c55e95d08386a46a2ebf1af37aea86020de2b9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2428	89213.exe
2916	92351.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 2916	3224	b3eddfc58cff887b966742f222c55e95d08386a46a2ebf1af37aea86020de2b9.exe	83
PID 3224 wrote to memory of 2916	3224	b3eddfc58cff887b966742f222c55e95d08386a46a2ebf1af37aea86020de2b9.exe	83
PID 3224 wrote to memory of 2916	3224	b3eddfc58cff887b966742f222c55e95d08386a46a2ebf1af37aea86020de2b9.exe	83
PID 3224 wrote to memory of 2428	3224	b3eddfc58cff887b966742f222c55e95d08386a46a2ebf1af37aea86020de2b9.exe	84
PID 3224 wrote to memory of 2428	3224	b3eddfc58cff887b966742f222c55e95d08386a46a2ebf1af37aea86020de2b9.exe	84
PID 3224 wrote to memory of 2428	3224	b3eddfc58cff887b966742f222c55e95d08386a46a2ebf1af37aea86020de2b9.exe	84

C:\Users\Admin\AppData\Local\Temp\b3eddfc58cff887b966742f222c55e95d08386a46a2ebf1af37aea86020de2b9.exe
"C:\Users\Admin\AppData\Local\Temp\b3eddfc58cff887b966742f222c55e95d08386a46a2ebf1af37aea86020de2b9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\92351.exe
  "C:\Users\Admin\AppData\Local\Temp\92351.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\89213.exe
  "C:\Users\Admin\AppData\Local\Temp\89213.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\89213.exe

Filesize
24KB

MD5
a6548196f1dff83f05e5cac9e293bfa9

SHA1
41d9fffb2a173cafb7d6d193047bc11e7af54ad6

SHA256
978ebf6b2e823a7c5e72162de1cd044470255bb93c6cc243d81065667d0aafdb

SHA512
30772e86de3bc418da4e8027a9c1b48c462f0382a6a5465550621bbcb47fe308ed19a5ec189e903d0d22b167c9328d1aed79f7fc72880a66678d901ef9045af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\89213.exe

Filesize
24KB

MD5
a6548196f1dff83f05e5cac9e293bfa9

SHA1
41d9fffb2a173cafb7d6d193047bc11e7af54ad6

SHA256
978ebf6b2e823a7c5e72162de1cd044470255bb93c6cc243d81065667d0aafdb

SHA512
30772e86de3bc418da4e8027a9c1b48c462f0382a6a5465550621bbcb47fe308ed19a5ec189e903d0d22b167c9328d1aed79f7fc72880a66678d901ef9045af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\92351.exe

Filesize
28KB

MD5
c816d943adc45e18131417676be9f297

SHA1
537a9331d46270a778d79b25f1ed8ca756774daa

SHA256
c4f6645e51bd4d6ca2d13d3b09bcfc1d4378b2f78b9cf860ab0a749501a7eaef

SHA512
9e3aa6cd54ac10ae3165e62b21b47f789b890dc98e155163a4ea88662d71a861fc89f57656288456d805e15d2285774356578892cf6e5b2ff726c109527730c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\92351.exe

Filesize
28KB

MD5
c816d943adc45e18131417676be9f297

SHA1
537a9331d46270a778d79b25f1ed8ca756774daa

SHA256
c4f6645e51bd4d6ca2d13d3b09bcfc1d4378b2f78b9cf860ab0a749501a7eaef

SHA512
9e3aa6cd54ac10ae3165e62b21b47f789b890dc98e155163a4ea88662d71a861fc89f57656288456d805e15d2285774356578892cf6e5b2ff726c109527730c8

Download Submit
memory/3224-132-0x00007FFE92B90000-0x00007FFE935C6000-memory.dmp

Filesize
10.2MB

Download