Analysis
-
max time kernel
177s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
07/02/2022, 08:46
Behavioral task
behavioral1
Sample
0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe
Resource
win10v2004-en-20220113
General
-
Target
0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe
-
Size
64KB
-
MD5
9f66ae4cf67d2bd7a20b358f19a911c6
-
SHA1
fbba0cf5aaf04cc62986f3f384f649cce3571f12
-
SHA256
0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb
-
SHA512
940b6a9536f20fda14cd61c308432c46878eb495bbf9b34d07a2d5c91e84f0d52baea94acb0c4c82a812e5191edb9bfce0c46af3f1bddbad4d4ecf511397da31
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 13 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\TypeLib reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\TypeLib reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Interface\{A87958FF-B414-7748-9183-DBF183A25905}\TypeLib reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Interface reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Interface\{A87958FF-B414-7748-9183-DBF183A25905} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\TypeLib reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Interface\{A87958FF-B414-7748-9183-DBF183A25905}\ProxyStubClsid32 reg.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 2712 svchost.exe Token: SeCreatePagefilePrivilege 2712 svchost.exe Token: SeShutdownPrivilege 2712 svchost.exe Token: SeCreatePagefilePrivilege 2712 svchost.exe Token: SeShutdownPrivilege 2712 svchost.exe Token: SeCreatePagefilePrivilege 2712 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3500 wrote to memory of 1916 3500 0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe 86 PID 3500 wrote to memory of 1916 3500 0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe 86 PID 1916 wrote to memory of 4332 1916 cmd.exe 90 PID 1916 wrote to memory of 4332 1916 cmd.exe 90 PID 1916 wrote to memory of 4380 1916 cmd.exe 91 PID 1916 wrote to memory of 4380 1916 cmd.exe 91 PID 1916 wrote to memory of 3964 1916 cmd.exe 92 PID 1916 wrote to memory of 3964 1916 cmd.exe 92 PID 1916 wrote to memory of 3188 1916 cmd.exe 93 PID 1916 wrote to memory of 3188 1916 cmd.exe 93 PID 1916 wrote to memory of 216 1916 cmd.exe 94 PID 1916 wrote to memory of 216 1916 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe"C:\Users\Admin\AppData\Local\Temp\0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4BB.tmp\4CC.bat C:\Users\Admin\AppData\Local\Temp\0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir C:\Users\Admin\AppData\Local\Temp\App\Engine\*.exe /b3⤵PID:4332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir C:\Users\Admin\AppData\Local\Temp\App\*.exe /b3⤵PID:4380
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\Interface" /f3⤵
- Modifies registry class
PID:3964
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\AlanThinker" /f3⤵PID:3188
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\AlanThinker\Data\6" /v "isVideoPlayed" /t REG_SZ /d "True" /f3⤵PID:216
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2712