Analysis
-
max time kernel
2s -
max time network
27s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-01-2022 20:03
Static task
static1
Behavioral task
behavioral1
Sample
9618345aad276496e7d33d390a0cdf5e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9618345aad276496e7d33d390a0cdf5e.exe
Resource
win10v2004-en-20220113
General
-
Target
9618345aad276496e7d33d390a0cdf5e.exe
-
Size
322KB
-
MD5
9618345aad276496e7d33d390a0cdf5e
-
SHA1
49ea625e58a17a1992c767fc7afb137dbfd0419a
-
SHA256
dc9ddeb5493a529530acf29a62a5de10bef65ffb22ebea264818058bf9223ae6
-
SHA512
9c4d96bba45a6e589d597277d8454a89781a53b0b6419b4f4ef04f02576a424f7efdc5a9c4f5a426742544d6d054b1ab14aebad6a6a6a355c8c3a0345778ca6d
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9618345aad276496e7d33d390a0cdf5e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 9618345aad276496e7d33d390a0cdf5e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9618345aad276496e7d33d390a0cdf5e.exedescription pid process Token: SeDebugPrivilege 3708 9618345aad276496e7d33d390a0cdf5e.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9618345aad276496e7d33d390a0cdf5e.exedescription pid process target process PID 3708 wrote to memory of 1240 3708 9618345aad276496e7d33d390a0cdf5e.exe powershell.exe PID 3708 wrote to memory of 1240 3708 9618345aad276496e7d33d390a0cdf5e.exe powershell.exe PID 3708 wrote to memory of 1240 3708 9618345aad276496e7d33d390a0cdf5e.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9618345aad276496e7d33d390a0cdf5e.exe"C:\Users\Admin\AppData\Local\Temp\9618345aad276496e7d33d390a0cdf5e.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABpAG4AZwAgAHkAYQBoAG8AbwAuAGMAbwBtADsAIABwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwA=2⤵