b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21

Analysis

max time kernel
154s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe
Size

8KB
MD5

4c0ae49fd853be93441c0937379c3851
SHA1

a0eb276720d3ee94cb929f0929ab4946adf93e28
SHA256

b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21
SHA512

56b74b178f0201589deefd4ceffa849afe2b0124f4a844868b333e975cb986db3dfe044635613095e329144c7906a10f5db0cac092526150225d12d500221950
SSDEEP

192:5AnTTGuZVgUHbuzIFaNJhLkwcud2DH9VwGfctl3O:WTLVgUk8aNJawcudoD7US

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4952	b2e.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1416-132-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b2e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 4952	1416	b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe	79
PID 1416 wrote to memory of 4952	1416	b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe	79
PID 1416 wrote to memory of 4952	1416	b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe	79
PID 4952 wrote to memory of 4336	4952	b2e.exe	80
PID 4952 wrote to memory of 4336	4952	b2e.exe	80
PID 4952 wrote to memory of 4336	4952	b2e.exe	80
PID 4952 wrote to memory of 4788	4952	b2e.exe	83
PID 4952 wrote to memory of 4788	4952	b2e.exe	83
PID 4952 wrote to memory of 4788	4952	b2e.exe	83

C:\Users\Admin\AppData\Local\Temp\b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe
"C:\Users\Admin\AppData\Local\Temp\b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\BBF2.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\BBF2.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\BBF2.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C23B.tmp\batchfile.bat" "
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:4788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BBF2.tmp\b2e.exe

Filesize
8KB

MD5
14faf3dcb9ac1239c6b703a956b31fff

SHA1
760c5ce6584f5a5465847d0aa9b979f571d874a0

SHA256
777e026748bb851cda97a8d5fafc2e9d2dc7bc1a143b54dec656428a328bf980

SHA512
acbd50bfc5ba30221257cbdc4a773f0e6f9e407b67daa6ef22199f2fe68753d9a2c2c37b37569b9204aba9a99498c204f7d704f992c27f206519207ef0ac1e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBF2.tmp\b2e.exe

Filesize
8KB

MD5
14faf3dcb9ac1239c6b703a956b31fff

SHA1
760c5ce6584f5a5465847d0aa9b979f571d874a0

SHA256
777e026748bb851cda97a8d5fafc2e9d2dc7bc1a143b54dec656428a328bf980

SHA512
acbd50bfc5ba30221257cbdc4a773f0e6f9e407b67daa6ef22199f2fe68753d9a2c2c37b37569b9204aba9a99498c204f7d704f992c27f206519207ef0ac1e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C23B.tmp\batchfile.bat

Filesize
11B

MD5
accb818196efe9ed6d5f4226e46fb4e9

SHA1
653a51ffe7db555ffb1cd0b05d80fb3d85ef9223

SHA256
e229f8475c6587f6f320c41757166a7383fbbe31a50fc1226bbc19005b1e9a41

SHA512
9a0728205e406daba0d4e17d29d20e92c7218816576f3d9e50c32f84862891118fab0a3d7f556e55122e2e616f2125ed343c059abb73d29868a64c975a580da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
f6dbb6feaf5cbad762c6310a19fe3e43

SHA1
348b7f8391c03f8895f88945165f79081a092e69

SHA256
53e3b25acc31ac5e7349c2e951f78a09901242899a4a84422bb23dae348f2191

SHA512
f2507fb872612d6cde42dd78342b029b8fb0a55eba111f928d434a360feb32750008f1daeefec40c331b4728da6ef44743db30f9d06e187e2d86d95963e2fccd

Download Submit
memory/1416-132-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4952-137-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4952-140-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download