7eec44b0ddcfc0ae0930ff863d57116210c0556c5ff01e69864076ed3a7af3ff

Analysis

max time kernel
94s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eec44b0ddcfc0ae0930ff863d57116210c0556c5ff01e69864076ed3a7af3ff.exe
Size

27KB
MD5

8e532ea4125f550d3f81a4aa0a3c14fd
SHA1

c773c6f39583c00afa911884c072e81ee6f01d38
SHA256

7eec44b0ddcfc0ae0930ff863d57116210c0556c5ff01e69864076ed3a7af3ff
SHA512

d44f9d4208778e3788b0765df930fa202ef1be00ff317d89f2867a84014f022350fed46703d943e719b539b7bcbdf3cdefd99edac31ecbc334d4dedb0d14c737
SSDEEP

768:sWKBqt2QCEp1jdm/ErDMJeaY/NR3i/jzC:spBqt2QCEp1K4DM4v+C

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7eec44b0ddcfc0ae0930ff863d57116210c0556c5ff01e69864076ed3a7af3ff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7eec44b0ddcfc0ae0930ff863d57116210c0556c5ff01e69864076ed3a7af3ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7eec44b0ddcfc0ae0930ff863d57116210c0556c5ff01e69864076ed3a7af3ff.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3688	NOTEPAD.EXE
4308	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 4308	1560	7eec44b0ddcfc0ae0930ff863d57116210c0556c5ff01e69864076ed3a7af3ff.exe	94
PID 1560 wrote to memory of 4308	1560	7eec44b0ddcfc0ae0930ff863d57116210c0556c5ff01e69864076ed3a7af3ff.exe	94
PID 1560 wrote to memory of 4308	1560	7eec44b0ddcfc0ae0930ff863d57116210c0556c5ff01e69864076ed3a7af3ff.exe	94
PID 1560 wrote to memory of 3688	1560	7eec44b0ddcfc0ae0930ff863d57116210c0556c5ff01e69864076ed3a7af3ff.exe	95
PID 1560 wrote to memory of 3688	1560	7eec44b0ddcfc0ae0930ff863d57116210c0556c5ff01e69864076ed3a7af3ff.exe	95
PID 1560 wrote to memory of 3688	1560	7eec44b0ddcfc0ae0930ff863d57116210c0556c5ff01e69864076ed3a7af3ff.exe	95

C:\Users\Admin\AppData\Local\Temp\7eec44b0ddcfc0ae0930ff863d57116210c0556c5ff01e69864076ed3a7af3ff.exe
"C:\Users\Admin\AppData\Local\Temp\7eec44b0ddcfc0ae0930ff863d57116210c0556c5ff01e69864076ed3a7af3ff.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\bye.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:4308
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\hi.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bye.txt

Filesize
18B

MD5
7705f3977d0bbdd4e0c783cae586992f

SHA1
ce06af6e6640c07946e7507d392f46918aab32c6

SHA256
81674324e420d9e46b85d993b330e7f2784e19bd14365481ab72c73541149df3

SHA512
8d2625642a97587de41eb7126812b0b45c6cfc18652dc5dda6e371d22e69c0020646d23505ae8254b7ffd3078b2ad79c2d2926e0eee874123e769ecca9aadef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hi.txt

Filesize
16B

MD5
484ed7a95e6d0bd0b2d746da8dd360dd

SHA1
71160cf54b109210343e4a2a691707382a9c9fea

SHA256
734fbfe70bab72f8d3d3abdfa432c3e12340691e491b3bf8fa457d83cd75794a

SHA512
f86fc7d74c1a2f7294b76e52f208542e3b767f1d31c83358943ffd744abaac9e152842a83d23099b0910c2e35217cbf42d6ca6fa5a478d49427d189316a1b5a2

Download Submit
memory/1560-4-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download