eadba38de7aa171945aba1c57ea8b28ef7bdb2b95c122f2f6ceb909ec01ecc4e

Analysis

max time kernel
153s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 14:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eadba38de7aa171945aba1c57ea8b28ef7bdb2b95c122f2f6ceb909ec01ecc4e.exe
Size

1.4MB
MD5

05b287bdfdbc0b6681fbee053486657d
SHA1

5d3c09357bd50a4afdf1e2d109e69b6904234096
SHA256

eadba38de7aa171945aba1c57ea8b28ef7bdb2b95c122f2f6ceb909ec01ecc4e
SHA512

0edafad12a30eaa926a45efb7e050e14d4d308c4de10e9022593c24372d72438854c107d150197e5bc36e129c68d2c55ff3cd0c89fe84f965e0dd6f8a6d2c4ab
SSDEEP

24576:t5QIOyzG7jOSk1E6D9pW7Yx719g/Xhj++IgYXhAlE+CQpshsApIpFhGrL/l2EFRn:tyT4me9DjW7Gx9g/RS+IgYXhiE+CQxAD

Score

8^/10

evasion

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Beep.sys	eadba38de7aa171945aba1c57ea8b28ef7bdb2b95c122f2f6ceb909ec01ecc4e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	eadba38de7aa171945aba1c57ea8b28ef7bdb2b95c122f2f6ceb909ec01ecc4e.exe

Executes dropped EXE 2 IoCs

pid	Process
4344	FB.exe
1856	·çÔÆ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	eadba38de7aa171945aba1c57ea8b28ef7bdb2b95c122f2f6ceb909ec01ecc4e.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Wine	·çÔÆ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 4344	344	eadba38de7aa171945aba1c57ea8b28ef7bdb2b95c122f2f6ceb909ec01ecc4e.exe	84
PID 344 wrote to memory of 4344	344	eadba38de7aa171945aba1c57ea8b28ef7bdb2b95c122f2f6ceb909ec01ecc4e.exe	84
PID 344 wrote to memory of 4344	344	eadba38de7aa171945aba1c57ea8b28ef7bdb2b95c122f2f6ceb909ec01ecc4e.exe	84
PID 344 wrote to memory of 1856	344	eadba38de7aa171945aba1c57ea8b28ef7bdb2b95c122f2f6ceb909ec01ecc4e.exe	85
PID 344 wrote to memory of 1856	344	eadba38de7aa171945aba1c57ea8b28ef7bdb2b95c122f2f6ceb909ec01ecc4e.exe	85
PID 344 wrote to memory of 1856	344	eadba38de7aa171945aba1c57ea8b28ef7bdb2b95c122f2f6ceb909ec01ecc4e.exe	85

C:\Users\Admin\AppData\Local\Temp\eadba38de7aa171945aba1c57ea8b28ef7bdb2b95c122f2f6ceb909ec01ecc4e.exe
"C:\Users\Admin\AppData\Local\Temp\eadba38de7aa171945aba1c57ea8b28ef7bdb2b95c122f2f6ceb909ec01ecc4e.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:344
- C:\Users\Admin\AppData\Local\Temp\FB.exe
  "C:\Users\Admin\AppData\Local\Temp\FB.exe"
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Users\Admin\AppData\Local\Temp\·çÔÆ.exe
  "C:\Users\Admin\AppData\Local\Temp\·çÔÆ.exe"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB.exe

Filesize
453KB

MD5
5737123718c168f4c12a852fc13e0628

SHA1
6c9ab95640ef7ac2ae77de14dbb9a784acf8d4c9

SHA256
52e84d8b72bd2e3523ec43b01c63832c5d6fb51b64372cf77951a2627e7a6f05

SHA512
b2520fa35ad9b66da793e238e1d203919c47bef5d60d38d01ecdaa777fb307e482ea8dfff8b216f1d6694d04ea8b7895fdbcd32318ef468de00fda78ac52cbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB.exe

Filesize
453KB

MD5
5737123718c168f4c12a852fc13e0628

SHA1
6c9ab95640ef7ac2ae77de14dbb9a784acf8d4c9

SHA256
52e84d8b72bd2e3523ec43b01c63832c5d6fb51b64372cf77951a2627e7a6f05

SHA512
b2520fa35ad9b66da793e238e1d203919c47bef5d60d38d01ecdaa777fb307e482ea8dfff8b216f1d6694d04ea8b7895fdbcd32318ef468de00fda78ac52cbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\·çÔÆ.exe

Filesize
912KB

MD5
e35654cd70945dec8eae367705f291fe

SHA1
1068caa8b43288370593f3592e25461e914b135d

SHA256
0335e741ec08624166474bde6f22055dc2cb3e0be9e64a802003ca6996b18293

SHA512
350e62c2b652b6b70fb97e27b336fe40bbd6fef90af2f7e195925063d6351303ad26cab43d7edc9056af3b5f74beb3ff3970d3a154adbfdea2c4ffc820752310

Download Submit
C:\Users\Admin\AppData\Local\Temp\·çÔÆ.exe

Filesize
912KB

MD5
e35654cd70945dec8eae367705f291fe

SHA1
1068caa8b43288370593f3592e25461e914b135d

SHA256
0335e741ec08624166474bde6f22055dc2cb3e0be9e64a802003ca6996b18293

SHA512
350e62c2b652b6b70fb97e27b336fe40bbd6fef90af2f7e195925063d6351303ad26cab43d7edc9056af3b5f74beb3ff3970d3a154adbfdea2c4ffc820752310

Download Submit
memory/1856-138-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1856-139-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads