af1e5a35205ff695a3ef3f804d894e1479cb5c1a7f9b7c904f4b6261035fd9c3

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2023, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2.exe
Size

2.7MB
MD5

c769d7ef70879f6622702c7b779b3116
SHA1

22759453da12d05f18a4dc343dd11eac222bcee0
SHA256

a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2
SHA512

58f69c41d2fd194421b6e334099ea9cdc9782c86efa546883440615f8cc9cd84d703ee127cd61f52b1c4697fb081410b144438113bf05c67e12934e6e47c6791
SSDEEP

49152:EntHBrqP4eKtmPua5wB/kzqCUVhs32eBKBihenM7Ng+C:+tH1qPJYczqCUVhs32F7no

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4156	notepad.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 4156	1988	a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2.exe	85
PID 1988 wrote to memory of 4156	1988	a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2.exe	85
PID 1988 wrote to memory of 4156	1988	a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2.exe	85

C:\Users\Admin\AppData\Local\Temp\a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2.exe
"C:\Users\Admin\AppData\Local\Temp\a2416cf389317c39f2c4ee0e60de90f3d9c316d70af91916e5caf499259e5bc2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\hwid.ini
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\hwid.ini

Filesize
44B

MD5
9f0bd4e48ce3f1993f6c260d01d08c49

SHA1
265d7b8117c3bbea9c0e859524ce8a7718da5d12

SHA256
920d328a4878bd9afb9aa46c09f8fd7cca3a746e4f975af29fb7590358d383fa

SHA512
e8bd92fb759614381a6fbb6b877371f28daa1c7d9ec3b56d0b2d096bd36bd0b6a3d8dd661fa32558bce209a7fae11ef74db5afaaaa633255915e204356182b66

Download Submit