0a94a43af2db7bdbada87b34bf03d3b221110d1ca21bbebec55b08767c1281cc

Analysis

max time kernel
102s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2022, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EasyBCD2.4.exe
Size

2.2MB
MD5

2e06476ebe1137f543ee7176d34716e7
SHA1

6eaa6aa0e829ce8af54213f6de77e748c4388e23
SHA256

0a94a43af2db7bdbada87b34bf03d3b221110d1ca21bbebec55b08767c1281cc
SHA512

4f038b1bab87a9c552672a69d2122800e5f6809c6230c2cea4f14000d0c8555393621af0e4e85ef9471a6527d9458a6315576aab9de10058b3c320549f9d0c1e
SSDEEP

49152:vHQLkhcj2sy/yOnZMS3NTQDxX7Cc8kRD7zei:vwLKcjW/yGMoN+Obk1zD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	EasyBCD2.4.exe

Loads dropped DLL 2 IoCs

pid	Process
4736	EasyBCD2.4.exe
4736	EasyBCD2.4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2084	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	taskkill.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 2084	4736	EasyBCD2.4.exe	79
PID 4736 wrote to memory of 2084	4736	EasyBCD2.4.exe	79
PID 4736 wrote to memory of 2084	4736	EasyBCD2.4.exe	79

C:\Users\Admin\AppData\Local\Temp\EasyBCD2.4.exe
"C:\Users\Admin\AppData\Local\Temp\EasyBCD2.4.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im easybcd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy6A4A.tmp\InstallOptions.dll

Filesize
14KB

MD5
8d5a5529462a9ba1ac068ee0502578c7

SHA1
875e651e302ce0bfc8893f341cf19171fee25ea5

SHA256
e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

SHA512
101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6A4A.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit