Analysis

  • max time kernel
    163s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    07/02/2022, 02:48

General

  • Target

    405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe

  • Size

    1.2MB

  • MD5

    55d3bf6845cb75b495704d3d3be3e406

  • SHA1

    1e078c1e5937db4ebec4a24d75dd777ad4e175ff

  • SHA256

    405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0

  • SHA512

    c904b9016fe932e0a4187467279cfa28cf4daa719674ff63d568bff706faac8d520fcb283d2d26eba2a83ded61119e32284a2aafc1872f1bbe4db07809170a1e

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 47 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe
    "C:\Users\Admin\AppData\Local\Temp\405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\70C8.tmp\70C9.bat C:\Users\Admin\AppData\Local\Temp\405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Users\Admin\AppData\Local\Temp\70C8.tmp\2.exe
        2.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:1856
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:3036
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Modifies data under HKEY_USERS
    PID:3220

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads