Analysis
-
max time kernel
157s -
max time network
184s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
11-08-2020 12:30
General
-
Target
foo/84bf6e1a8fcd94cf6cba6ac7e2a95b64.exe
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Control Panel 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\foo\84bf6e1a8fcd94cf6cba6ac7e2a95b64.exe"C:\Users\Admin\AppData\Local\Temp\foo\84bf6e1a8fcd94cf6cba6ac7e2a95b64.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup_antivirus_license.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup_antivirus_license.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\setup.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\setup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-D1QTM.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-D1QTM.tmp\setup.tmp" /SL5="$301C4,138489,56832,C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\setup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-777C9.tmp\Upgrade.exe"C:\Users\Admin\AppData\Local\Temp\is-777C9.tmp\Upgrade.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f68ec9fc9d7b2fa8a4a0ad505e787b35
SHA1d494676634a7947c4d246f7fd9d863bfe1af33b8
SHA2564ae96cdb65414fab164fff0119a80138610d03741a3db7c73085b94413904129
SHA512b825ef58df4deb325cdac9236e0565551762eda53e94d4da7d5ba8763c52c58af056392dcf93cb78901a076fc5eb93d36e2f2f0b952f5c61332c6597abc0b5cc
-
MD5
847605ab6dc5bfa901e20e69c736d4d8
SHA11fd6ee040a8fbac6677987fab6619eaa807dba98
SHA2566717990e5cc1e3c7c50c0e65c1353055140cacb5815a58a0aae1babd0125b694
SHA512dd9c570629e054dcb5bf4e6e8800d50f2d29224f19e4a76d91462308722ff308c2f448f235c51c112d2830674dd90e83d9a4eeb082e3928289ae0b289b16204f
-
MD5
2430a6a7078b6659b30c0b8782a81097
SHA11b22048b57104e4596e30716e13d4f19bf1ae3a6
SHA2569411e2970619334238236786237d6e776cf51f8139c6e169d73c9701e73fd685
SHA512eb80b76aa48e4de994d78c3b27b21a4e3e5e8b59794db687c34422e91e77ccdd9919478e2c5fb1cfcdd85b5c0df374b19a1d38b960160580db62399b6c51cb64
-
MD5
0518867ce525fa88243923d57b5f3485
SHA1a54badd613d5c39757219b2a0d0b28d031d70b85
SHA256141bd8bf4ba463210f44224cc29e75f6108e53ccd6240e05f0d1fb1dded50821
SHA512f6aa4a59c25216a12d694a0b1368aed02d2802770c5f6de175d03c0bf2fe1e3d0923807692c36a02c1b225de040e6ce79c92806d8feaf5bc4f3a6f81915f1cdd
-
MD5
19d3497f7845c220a901abbddf801d37
SHA1be6b0e545854e554919c1ed3d7f9265e4fcf9e21
SHA256414e8b7b63cd8886738666848a7477a63de0bd85197f1fc4842ff237d52979dc
SHA512f476e93420c990112a17c73286258f7700089793b52887abb21b1cb28b4643ac0fb6b591c1802828207db57902323aaadcae4c971300d20385d7989b4dcb0369
-
MD5
a87bcef0c06d3cc1201c35b79484952e
SHA11b4dfafab3195c98ae1da36412cdb5343e9ae02b
SHA25637cc918d526cfbb0e0cb66d10becb5257c0794335e68ea4e968a59bb38ed5dd7
SHA512922d462cbc7b4e27e6d23b683204f84fa35c1f8f9bbbd4e74b69e09ebee0bbeb74c20bbd43de88d3ade9fab3c4e5705f01553ea22c7e8ffaabf747c6396a0709
-
MD5
f61402f548a40e51fa821eb3c7916fdb
SHA16906577fa3a85d49d9b7f3fdb46ccd6ff1e23629
SHA2564a7415506887532d9caa50f41b9aa3ea6c190a84763b0634bf3c04f2a69d3748
SHA512b8e6234e7f8d19cac63dff6a15fe18751777b053e42529f6b68d127a82ddbdf7f743e8b889aa03d15412bad468d61afab803829cc8591087e6a8bf81daa3a8cc
-
MD5
d8949f304f80752ae870ae7a9830af1e
SHA1e6619f32f15defc84e33e9261f63b40d87eea1a7
SHA256fa0f123631cd970ffb817e09a66adf03b1acb85cc79efa07241f6370cb47cc45
SHA51204457875dcdcfc6c010afa67e6166248a0e4d724d0aee262067d084093d473846f528ec3df5c5df8bc0d0293ffdf83960e954bd7c7918f8709ef1706dbc99b99
-
MD5
ff24736b88ecc23913bebf59bbea0bcc
SHA11be3371fb8089aab645f7b350776c303832b3bb7
SHA256e0057ec01486fa81cf224e7849418496d45363f848ef7ea4b89bdd924284afea
SHA512f6a1e384e1c9fac62162b80e203ae42d8a22f9dc68d5ff907d14d9389724cd300fe659ff0684d4b58dbe200202031d23c01089bc02ddcee7e6691cf154c38c9a
-
MD5
ae10a4b07e60fb31f794da18b751a3ac
SHA1019a028e5e931ac1cc045be0a87227f852ff413d
SHA256a524f6b47c3aabbb21ad262c09cc6a7ed5025fa52c7b1e107bad4a7c2216a254
SHA512eb37c674ae32a9e67c0eaf53550deafd8c7b52d848b0e0efc01ffdd41f6bd307c42473312654b511ec7ad9b2661f64bed5c373c4fb68fbd3872542bc52f7e065
-
MD5
07460bae625908225cc9c6767415c842
SHA1e8470df526dc8eef1a64a63b36b6b07f5fe4a79c
SHA256000553c2c9e74bebb3f84f678bb0fe53bc97cbb3d514034541ba11b94f28fe2e
SHA512205a0de442cb434773028a276a4fa1a5985a863f614dfa0bbece711f06356c9cebe10136780f4ee6c14c1c2f7205f5a0abb519580171528d39077b6d8bf948b8
-
MD5
37336b17ee9efcc917387e7b22d2fc2f
SHA1218b0cb297b3f2b9e438f797a9374bddd8426d07
SHA25618a325878ae0ca794ea1012d92d955dd42641b5ce3424045d7e59d993f061f4b
SHA51203ee8ce6b21607e2adad448e9218a444be68b779adc680d9ba5080d9ac022848d298527d7d3fb62d0ac389939bd8b718e48e8b16856bcff4c902f0416beda090
-
MD5
bf26f332669026b45871528083fd9add
SHA156a47c6b2d3b6792d279041460dd95a5f06ba6cb
SHA256c08afbc0b00d13e6a5aaf7450b18f7a24ff2d4bb33796a9e56815d134308873e
SHA5122b7d956107f7a57646bf6b29669c7ea12f2024c0abe49b2420fdde9024636339cd7656d3a0a1c9ae636c1e09548b20e0e47e6c410caee68126f5b66c52f65e47
-
MD5
ea129e48a5a38801b716b75128100153
SHA190458f8ff8be92bce59b06804209dd2f5ee26b8d
SHA256092ac8c78a1b69715b93e661913d94ffa194402ecbdbd0b2d01a8d2cc5dd4cac
SHA51277d43d9a40a3c188ec05b50c687fd3dfddc7e4bcc5e16385721440aea69f7112f0f7ddf33a2b66c25858a0f6979c6b396870c08d5db2e5d7f44795424c0cc53f
-
MD5
99c06a99d02b512f4bde1abae2465af6
SHA14bbb1fc293437929c9e1e4f66f6df6eaa8041ee8
SHA2569ccf75cc457ccf8eb7284b49d6563603fd46852927e879c1600baa85896749e7
SHA5128f6a558bb62d03c7958097c9ccda6122cd2d73f9d31f6e00e4e1c7027159ec7ae67afdeb45449681b0491a1a75471efec819373a496f20a4fce180db99ae14e9
-
MD5
99c06a99d02b512f4bde1abae2465af6
SHA14bbb1fc293437929c9e1e4f66f6df6eaa8041ee8
SHA2569ccf75cc457ccf8eb7284b49d6563603fd46852927e879c1600baa85896749e7
SHA5128f6a558bb62d03c7958097c9ccda6122cd2d73f9d31f6e00e4e1c7027159ec7ae67afdeb45449681b0491a1a75471efec819373a496f20a4fce180db99ae14e9
-
MD5
1a2f91043b9cad2ca07f409948708309
SHA1355d6d91f27a464503535749aca3266dfa8c5ae3
SHA256812416093b576b92dc23e83314d077870476d6f84454ab4c6a2479553023cc9c
SHA51266e2330a0fa2c8600e747faf5c9687af3154ecfd8150f66e7f15b2f96b1910c7b1e0a8a4b18972d16fa6f63b03c058272d8d0e08002d9981cb8375d15c27009a
-
MD5
1a2f91043b9cad2ca07f409948708309
SHA1355d6d91f27a464503535749aca3266dfa8c5ae3
SHA256812416093b576b92dc23e83314d077870476d6f84454ab4c6a2479553023cc9c
SHA51266e2330a0fa2c8600e747faf5c9687af3154ecfd8150f66e7f15b2f96b1910c7b1e0a8a4b18972d16fa6f63b03c058272d8d0e08002d9981cb8375d15c27009a
-
MD5
fa210703ef9c064fdb880a6203f67f4e
SHA14f856e90f71b05120bd925bbef52df41b85f5e98
SHA256c1406704ede8ff64cbc51cba887dc47463b6ccc96d58b1a5b7bf305a68c461ca
SHA51230f70040ec6460905a9557b58dbcddcfaf1c644058e38e5144d7ef62481d765f43e558b4cf88eb5f8b8209b3eeeebc893f70b4312afa29bf052c3e0ad6e4d119
-
MD5
fa210703ef9c064fdb880a6203f67f4e
SHA14f856e90f71b05120bd925bbef52df41b85f5e98
SHA256c1406704ede8ff64cbc51cba887dc47463b6ccc96d58b1a5b7bf305a68c461ca
SHA51230f70040ec6460905a9557b58dbcddcfaf1c644058e38e5144d7ef62481d765f43e558b4cf88eb5f8b8209b3eeeebc893f70b4312afa29bf052c3e0ad6e4d119
-
MD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
MD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
MD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
MD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
Filesize
588KB
-
-
Filesize
588KB
-
-
Filesize
588KB
-
-
Filesize
588KB
-