Analysis
-
max time kernel
128s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
03-02-2022 15:07
Static task
static1
Behavioral task
behavioral1
Sample
d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe
Resource
win10v2004-en-20220113
General
-
Target
d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe
-
Size
406KB
-
MD5
27618e24c576d88396237132b13e0b7a
-
SHA1
5c7055878d8dd12a8bff678194f054ba74328a28
-
SHA256
d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8
-
SHA512
37250461692acc1cd34a0f406d8eb1b3043c06afdb91b598cecf19dbdac95f909c9cb36246a730fdfd215aabcb8af21529e96431e70a2cb3a5c2487945010055
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
asasasasas.Exepid process 4116 asasasasas.Exe -
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe -
Drops file in System32 directory 5 IoCs
Processes:
d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exedescription ioc process File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_30259359 d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe File created C:\Windows\SysWOW64\asasasasas.Exe d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe File opened for modification C:\Windows\SysWOW64\asasasasas.Exe d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe File created C:\Windows\SysWOW64\1-natalie-portman-oscars-2011-254x169.jpg d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe File opened for modification C:\Windows\SysWOW64\1-natalie-portman-oscars-2011-254x169.jpg d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 4876 svchost.exe Token: SeCreatePagefilePrivilege 4876 svchost.exe Token: SeShutdownPrivilege 4876 svchost.exe Token: SeCreatePagefilePrivilege 4876 svchost.exe Token: SeShutdownPrivilege 4876 svchost.exe Token: SeCreatePagefilePrivilege 4876 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exeasasasasas.Exefondue.exedescription pid process target process PID 3160 wrote to memory of 4116 3160 d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe asasasasas.Exe PID 3160 wrote to memory of 4116 3160 d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe asasasasas.Exe PID 3160 wrote to memory of 4116 3160 d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe asasasasas.Exe PID 4116 wrote to memory of 4716 4116 asasasasas.Exe fondue.exe PID 4116 wrote to memory of 4716 4116 asasasasas.Exe fondue.exe PID 4116 wrote to memory of 4716 4116 asasasasas.Exe fondue.exe PID 4716 wrote to memory of 4388 4716 fondue.exe FonDUE.EXE PID 4716 wrote to memory of 4388 4716 fondue.exe FonDUE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe"C:\Users\Admin\AppData\Local\Temp\d9650f2c1f89253bc02c64204c65668e7ec01227a4b5b40d8793499c9c1ad2c8.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\asasasasas.Exe"C:\Windows\System32\asasasasas.Exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 136bcc1f9ccecd0afe7a4b89d410c0ae HEi96ZH5BEeV6ft6KBdI+g.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\asasasasas.ExeMD5
21bb098ec4f345d81f4eb2843ad8e6bd
SHA16e217ca6f104fa09f1e5546f6bcb51cbe00f11c4
SHA256842e674dc7524ea7a7810465a6b94f7c163e1828925e2532daca066ee1cb48a2
SHA512fbcd795e54dd22a67ddf463c28f1d693d58aabb1b76268515e193ce2b6b347704974dc42ca54dd081510540b4ac05f52f343fbb7380fa0638f66a5e9d2adf682
-
C:\Windows\SysWOW64\asasasasas.ExeMD5
21bb098ec4f345d81f4eb2843ad8e6bd
SHA16e217ca6f104fa09f1e5546f6bcb51cbe00f11c4
SHA256842e674dc7524ea7a7810465a6b94f7c163e1828925e2532daca066ee1cb48a2
SHA512fbcd795e54dd22a67ddf463c28f1d693d58aabb1b76268515e193ce2b6b347704974dc42ca54dd081510540b4ac05f52f343fbb7380fa0638f66a5e9d2adf682
-
memory/4876-345-0x000001EE28D90000-0x000001EE28D94000-memory.dmpFilesize
16KB