e95f97b0da876ef1afe6e5acaabd4082b4614738dd8f9c4c67d330f4a5c1a8f3

Analysis

max time kernel
180s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f4cfbe6fc9608429bc0f254c95e26d3.exe
Size

112KB
MD5

7f4cfbe6fc9608429bc0f254c95e26d3
SHA1

e45b3ff34d07f3f7b93de06c54eefbd4b66fcbb3
SHA256

e95f97b0da876ef1afe6e5acaabd4082b4614738dd8f9c4c67d330f4a5c1a8f3
SHA512

5d2042672bc51f6ede2dd5db4ffc9a6739f152a6e31e2b5c48778912161f51e7405dd4a099763f1c4f75510ef6a5a8b51b488a46bd2093cd6c51f31933102be7
SSDEEP

3072:XxdfcFVZ7s+tzlC4hK4leOv4uy+lHxemT0uvEY:7iQU34uye

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	7f4cfbe6fc9608429bc0f254c95e26d3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	7f4cfbe6fc9608429bc0f254c95e26d3.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1800	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1648	7f4cfbe6fc9608429bc0f254c95e26d3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1648	7f4cfbe6fc9608429bc0f254c95e26d3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1800	1648	7f4cfbe6fc9608429bc0f254c95e26d3.exe	92
PID 1648 wrote to memory of 1800	1648	7f4cfbe6fc9608429bc0f254c95e26d3.exe	92
PID 1648 wrote to memory of 1800	1648	7f4cfbe6fc9608429bc0f254c95e26d3.exe	92

C:\Users\Admin\AppData\Local\Temp\7f4cfbe6fc9608429bc0f254c95e26d3.exe
"C:\Users\Admin\AppData\Local\Temp\7f4cfbe6fc9608429bc0f254c95e26d3.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Log.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Log.txt

Filesize
16KB

MD5
14c613e639e7fe52381309a313658b7f

SHA1
bfe086a223b550c000351add5dde03466ad05187

SHA256
234f8722e21261fb7c24d7ef16fe46b436e8b4a2eba49e9cb95fb4fab3b32cca

SHA512
7a5631e82f0468241af7953401b91994a5bec90d744ffb3b12c5f19f214b46fbc803fb309d3109d726b6f7ea5a64208a77a4a3c52bfca45fe6ae1767ff1f00bf

Download Submit
memory/1648-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download