607b1939be9662a3d46070da76eafcf316d7c2fceb933683fcf1d8f3898b9227

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2023, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79798cd455143c5f2a6f70b87bd3e7b05ce5f68ee39409da1b4480c1842f842e.exe
Size

2.7MB
MD5

8f9dd1bddf4d5f744a68ff41f2e66584
SHA1

85b60f054c2f86c71b494ed5c2db003ab4e8e731
SHA256

79798cd455143c5f2a6f70b87bd3e7b05ce5f68ee39409da1b4480c1842f842e
SHA512

9d6272eb78943820aef3081ce1a63e9c75439f7238f14237c853faf36b9d848bcd1894d572e49498a6e795fd52f88de22d3908cc8e6e601fedafe724668d3902
SSDEEP

49152:VN8HBrq0eKtmrma5wB7Uzq+UVhsuAYfzgGele5wDUQ/Vh:P8H1qBYIzq+UVhsuAEYle5q

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	79798cd455143c5f2a6f70b87bd3e7b05ce5f68ee39409da1b4480c1842f842e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5044	notepad.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 5044	1760	79798cd455143c5f2a6f70b87bd3e7b05ce5f68ee39409da1b4480c1842f842e.exe	85
PID 1760 wrote to memory of 5044	1760	79798cd455143c5f2a6f70b87bd3e7b05ce5f68ee39409da1b4480c1842f842e.exe	85
PID 1760 wrote to memory of 5044	1760	79798cd455143c5f2a6f70b87bd3e7b05ce5f68ee39409da1b4480c1842f842e.exe	85

C:\Users\Admin\AppData\Local\Temp\79798cd455143c5f2a6f70b87bd3e7b05ce5f68ee39409da1b4480c1842f842e.exe
"C:\Users\Admin\AppData\Local\Temp\79798cd455143c5f2a6f70b87bd3e7b05ce5f68ee39409da1b4480c1842f842e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\hwid.ini
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\hwid.ini

Filesize
44B

MD5
0f451fb93151150dba9274aaa4916073

SHA1
05700fc86c801194e3e1c22cccfa641da09ee62a

SHA256
5e6c8ccc0963d51213a2cbc700fc69269537c454307fc019876d68f6e903a769

SHA512
178099729965193667289cb64115e42868c75b66589726302f6e4e7af7c0bb4f66edcde03ba16376e3272a2acfd091bd687190311cf6317841f45cef9aa7617c

Download Submit