4cac47e464db2665232c8a9814e10555ce6f32a13f14f92aff7e9fa264914733

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2023, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cac47e464db2665232c8a9814e10555ce6f32a13f14f92aff7e9fa264914733.exe
Size

2.7MB
MD5

9838bc4eff23e9552afd9219fc7df60e
SHA1

eef74ed6c780d3f36234c6d0ba36ff624f788774
SHA256

4cac47e464db2665232c8a9814e10555ce6f32a13f14f92aff7e9fa264914733
SHA512

c73e32ac55a45d80ea3d1dce485375f3d39c0397d9b6375e31e58be3c2e0da1c07933091f84225fc6cd26ff88e0dd1d9318395473edd9f6cc1d5ccdeb02fb640
SSDEEP

49152:1xSaa25gHBb7ir8onOE0bjm7zp2a0AQS2RydW6ve08e47zJWN:zSVu5np2a0AQS2Ry+0897

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	4cac47e464db2665232c8a9814e10555ce6f32a13f14f92aff7e9fa264914733.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4424	notepad.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 4424	4548	4cac47e464db2665232c8a9814e10555ce6f32a13f14f92aff7e9fa264914733.exe	83
PID 4548 wrote to memory of 4424	4548	4cac47e464db2665232c8a9814e10555ce6f32a13f14f92aff7e9fa264914733.exe	83
PID 4548 wrote to memory of 4424	4548	4cac47e464db2665232c8a9814e10555ce6f32a13f14f92aff7e9fa264914733.exe	83

C:\Users\Admin\AppData\Local\Temp\4cac47e464db2665232c8a9814e10555ce6f32a13f14f92aff7e9fa264914733.exe
"C:\Users\Admin\AppData\Local\Temp\4cac47e464db2665232c8a9814e10555ce6f32a13f14f92aff7e9fa264914733.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\hwid.ini
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\hwid.ini

Filesize
44B

MD5
97ce3d0368273d5f3058a599fa16c455

SHA1
a85fb783bec8563a3da50d4a8bafa1d0dabe0ad8

SHA256
764bdc2dfb5f83afc1725162ac37589d2722d0b7893c7086dd952e219822a03e

SHA512
e51cf84d7dc8817433b10dcbb04e56443b221c479dfe597013218ec9d1ff6db7fee13fe0502a811b86c046d31b6ada2d4b54096d4c29f9754013fa507d65f7e5

Download Submit