2b5e685a771067755cefc6c9a600fe8b5e1a224060935c60a8ce8cdee6302f03

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
10/02/2023, 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b5e685a771067755cefc6c9a600fe8b5e1a224060935c60a8ce8cdee6302f03.exe
Size

2.6MB
MD5

510168a7f604f8584f590ee6bb93a538
SHA1

27f9fc9dbd0bcd5a48ba314798afbe113956fc17
SHA256

2b5e685a771067755cefc6c9a600fe8b5e1a224060935c60a8ce8cdee6302f03
SHA512

23955843cdeb7e2f4ec7332b588eae4f882d7ea393b908bc6c8656887ddd4c07b977ac6fda7269ed07ef5cd137f3c3edf3a1b806213b3bc10401496fca1affe8
SSDEEP

49152:3aD+ppCAvGGPdAE8AiaqXPaXT364Lf6Mee3HJfbIrZKa:qDHCPDLqXPaXrxf6K5f

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2b5e685a771067755cefc6c9a600fe8b5e1a224060935c60a8ce8cdee6302f03.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3980	notepad.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 3980	3212	2b5e685a771067755cefc6c9a600fe8b5e1a224060935c60a8ce8cdee6302f03.exe	82
PID 3212 wrote to memory of 3980	3212	2b5e685a771067755cefc6c9a600fe8b5e1a224060935c60a8ce8cdee6302f03.exe	82
PID 3212 wrote to memory of 3980	3212	2b5e685a771067755cefc6c9a600fe8b5e1a224060935c60a8ce8cdee6302f03.exe	82

C:\Users\Admin\AppData\Local\Temp\2b5e685a771067755cefc6c9a600fe8b5e1a224060935c60a8ce8cdee6302f03.exe
"C:\Users\Admin\AppData\Local\Temp\2b5e685a771067755cefc6c9a600fe8b5e1a224060935c60a8ce8cdee6302f03.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\hwid.ini
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\hwid.ini

Filesize
44B

MD5
953b7a4edf4e28c7bf17260df74bde19

SHA1
b66517fa50303726c55d0de633b68cb7b991b0d9

SHA256
432afc2fd730ab5ca30aba94306a5341b9411c202c9040975b4b20008f868306

SHA512
278ee70fb6ca491f13c9fd223de52894607e0e1e1b5bd7921e8cf1d5f60456bdae122f210c0f9bc3dac5be6601f80b82da8ca2eabf558ee031543e5db855cd31

Download Submit