9ec6dd25ff17fc47aabae14966f6e4f6952032b04f8325d75567ee392b260b0b

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2023 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ec6dd25ff17fc47aabae14966f6e4f6952032b04f8325d75567ee392b260b0b.exe
Size

749KB
MD5

420a07c7b5a1a2f57ab84242620df82d
SHA1

9651c6084377fe9f44d5e0f1c94b660204da4a8f
SHA256

9ec6dd25ff17fc47aabae14966f6e4f6952032b04f8325d75567ee392b260b0b
SHA512

a52bda824346c2919677f8ee552c16e9d336a0c51b8984f3cf562a9cae571dcd314e9155fce52a6e37de78136a75fdb793503e14bca7c638a35e33318fbdd945
SSDEEP

12288:Q3TD4DnRfwKl++H2QZ/DQHwAU6LjLTPyQ0YDbimiWzO1a0kCnNXSg98M:kTQuKl++H9M3LT/DPTx0kC1yM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9ec6dd25ff17fc47aabae14966f6e4f6952032b04f8325d75567ee392b260b0b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
1660	regedit.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2512	3444	9ec6dd25ff17fc47aabae14966f6e4f6952032b04f8325d75567ee392b260b0b.exe	81
PID 3444 wrote to memory of 2512	3444	9ec6dd25ff17fc47aabae14966f6e4f6952032b04f8325d75567ee392b260b0b.exe	81
PID 3444 wrote to memory of 2512	3444	9ec6dd25ff17fc47aabae14966f6e4f6952032b04f8325d75567ee392b260b0b.exe	81
PID 2512 wrote to memory of 1660	2512	cmd.exe	84
PID 2512 wrote to memory of 1660	2512	cmd.exe	84
PID 2512 wrote to memory of 1660	2512	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\9ec6dd25ff17fc47aabae14966f6e4f6952032b04f8325d75567ee392b260b0b.exe
"C:\Users\Admin\AppData\Local\Temp\9ec6dd25ff17fc47aabae14966f6e4f6952032b04f8325d75567ee392b260b0b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\eastcom\install\Setup2.4.0.41.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\eastcom\install\ECC_URT_XFS_Upd.reg
    3⤵
    - Runs .reg file with regedit
    PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\eastcom\install\ECC_URT_XFS_Upd.reg

Filesize
368B

MD5
47cb45dc6d0d9a208d1d7d278a6fdb7d

SHA1
352c7138cdef9b77ec2c243f7f6189b775636aa0

SHA256
ce6fe54c88a45757da9f94bb2aadee359d0317f1fd603f516cd482c3ba911143

SHA512
ad434de523d29a1f9e25d084cd3e10bbaef9350eeef7aca7aa90e7b16d8e1e0ef585a8b50952b77f82a909bff6594e8962fc5f2b222dc29cd148de3b3be307d1

Download Submit
C:\eastcom\install\Setup2.4.0.41.bat

Filesize
169B

MD5
b33374322cc7c0674c8a096f94d25d96

SHA1
23025187a56052be166cddc4eddb60468a682c3c

SHA256
bdebc2f0ee971f43e0a98f6346cf6e7611caa3a37d343cfe5c1f288cbfb17089

SHA512
abfa1e4d5eea8a9d6502280c24576123255fb6d50f2d64b53b2b9a58993ba1a53ab1964bc5fd7f0149f07e26cc5cf12ec69eac457aa4e9e6e5bc1afba2761aea

Download Submit