d0e30875a90aa8298b7028ed269ef545fe769dd315027f379dd2199c10ea5395

Analysis

max time kernel
115s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0e30875a90aa8298b7028ed269ef545fe769dd315027f379dd2199c10ea5395.exe
Size

304KB
MD5

8b4b1dab45007aae6643dce2c2830bef
SHA1

39efc785104757fe511bfdc070d84631ce5b1a75
SHA256

d0e30875a90aa8298b7028ed269ef545fe769dd315027f379dd2199c10ea5395
SHA512

a97e96ebb56a248e0c0a6fcee766dcc6cd82b21c4d2c26e1903ed8a777be33bcab0e155b9f9c835b899113507c1c90d1da6c402e5f93b386b397130e489885b0
SSDEEP

6144:W9P+Wn5YoNhlukGg8AdiJqTh1s5AMXDHl5K3jRrwpN:uPWkdVY6e7zHjK31+N

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2148	mdEOF1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	d0e30875a90aa8298b7028ed269ef545fe769dd315027f379dd2199c10ea5395.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4684	d0e30875a90aa8298b7028ed269ef545fe769dd315027f379dd2199c10ea5395.exe
2148	mdEOF1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 2148	4684	d0e30875a90aa8298b7028ed269ef545fe769dd315027f379dd2199c10ea5395.exe	78
PID 4684 wrote to memory of 2148	4684	d0e30875a90aa8298b7028ed269ef545fe769dd315027f379dd2199c10ea5395.exe	78
PID 4684 wrote to memory of 2148	4684	d0e30875a90aa8298b7028ed269ef545fe769dd315027f379dd2199c10ea5395.exe	78
PID 4684 wrote to memory of 4388	4684	d0e30875a90aa8298b7028ed269ef545fe769dd315027f379dd2199c10ea5395.exe	79
PID 4684 wrote to memory of 4388	4684	d0e30875a90aa8298b7028ed269ef545fe769dd315027f379dd2199c10ea5395.exe	79
PID 4684 wrote to memory of 4388	4684	d0e30875a90aa8298b7028ed269ef545fe769dd315027f379dd2199c10ea5395.exe	79

C:\Users\Admin\AppData\Local\Temp\d0e30875a90aa8298b7028ed269ef545fe769dd315027f379dd2199c10ea5395.exe
"C:\Users\Admin\AppData\Local\Temp\d0e30875a90aa8298b7028ed269ef545fe769dd315027f379dd2199c10ea5395.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Local\Temp\mdEOF1.exe
  "C:\Users\Admin\AppData\Local\Temp\mdEOF1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\melt1.bat
  2⤵
  PID:4388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mdEOF1.exe

Filesize
184KB

MD5
9f4932bfa2d123f836e92109e7230d3a

SHA1
64c79102c77e865b402f3ef81a07363a33c3308b

SHA256
8bff77126a7865475d5bf1ece604fa724a2e975f8dfb47c4a5169dd2a4cbf6c5

SHA512
a3cdf4291c7eabc594f7eeaf67644f955a8c6d509f1c2ed386d9471ce7e75c3bb5ed636f1d7386bf6b85f1f1dd6051f70fed769a6b63921e30765965f2ddaf5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdEOF1.exe

Filesize
184KB

MD5
9f4932bfa2d123f836e92109e7230d3a

SHA1
64c79102c77e865b402f3ef81a07363a33c3308b

SHA256
8bff77126a7865475d5bf1ece604fa724a2e975f8dfb47c4a5169dd2a4cbf6c5

SHA512
a3cdf4291c7eabc594f7eeaf67644f955a8c6d509f1c2ed386d9471ce7e75c3bb5ed636f1d7386bf6b85f1f1dd6051f70fed769a6b63921e30765965f2ddaf5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt1.bat

Filesize
321B

MD5
bba1bf4d0420af586ded8f04487b8c90

SHA1
98156e3f3b249ae239b8ecb19160bbeb90462c11

SHA256
a3fbc7ea6f0b59e18843f16096f9e82be1601146f8d48eb0446cc94bceecae46

SHA512
55f3416aeea7248d8154c58b029033f58febcf42dbc0dad0613d6acb27361fed11f99505ff3c20d23a3f94cf0f841220114dfa8bcaf5035579a7a1705e34468f

Download Submit