Analysis
-
max time kernel
7s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-01-2022 19:00
Static task
static1
Behavioral task
behavioral1
Sample
8f161c203384b95bc5b20e122a9c1c68.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8f161c203384b95bc5b20e122a9c1c68.exe
Resource
win10v2004-en-20220113
General
-
Target
8f161c203384b95bc5b20e122a9c1c68.exe
-
Size
323KB
-
MD5
8f161c203384b95bc5b20e122a9c1c68
-
SHA1
c72b4a03fef8c75ff0aab7bd97722249c9334ab0
-
SHA256
4ea881ce90cbf4c9f6f26b940e062bbd147531c6754390f7e61784d892b54668
-
SHA512
5b057a81759833c140153d4154f03ec6f0d544411f6739310b0c9f271b77d613c50062076a9aec951a527fed3aa55cc9d2fdd2a9bdd337912e020cd986066587
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8f161c203384b95bc5b20e122a9c1c68.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 8f161c203384b95bc5b20e122a9c1c68.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8f161c203384b95bc5b20e122a9c1c68.exedescription pid process Token: SeDebugPrivilege 2744 8f161c203384b95bc5b20e122a9c1c68.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
8f161c203384b95bc5b20e122a9c1c68.exedescription pid process target process PID 2744 wrote to memory of 3700 2744 8f161c203384b95bc5b20e122a9c1c68.exe powershell.exe PID 2744 wrote to memory of 3700 2744 8f161c203384b95bc5b20e122a9c1c68.exe powershell.exe PID 2744 wrote to memory of 3700 2744 8f161c203384b95bc5b20e122a9c1c68.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f161c203384b95bc5b20e122a9c1c68.exe"C:\Users\Admin\AppData\Local\Temp\8f161c203384b95bc5b20e122a9c1c68.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABpAG4AZwAgAHkAYQBoAG8AbwAuAGMAbwBtADsAIABwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwA=2⤵