Analysis

  • max time kernel
    177s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    07/02/2022, 08:46

General

  • Target

    0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe

  • Size

    64KB

  • MD5

    9f66ae4cf67d2bd7a20b358f19a911c6

  • SHA1

    fbba0cf5aaf04cc62986f3f384f649cce3571f12

  • SHA256

    0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb

  • SHA512

    940b6a9536f20fda14cd61c308432c46878eb495bbf9b34d07a2d5c91e84f0d52baea94acb0c4c82a812e5191edb9bfce0c46af3f1bddbad4d4ecf511397da31

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe
    "C:\Users\Admin\AppData\Local\Temp\0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4BB.tmp\4CC.bat C:\Users\Admin\AppData\Local\Temp\0bac58d90b6adc3de8ab0527a0a3b8791367ed4ea1ff91aea4582d6dbfd695bb.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c dir C:\Users\Admin\AppData\Local\Temp\App\Engine\*.exe /b
        3⤵
          PID:4332
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c dir C:\Users\Admin\AppData\Local\Temp\App\*.exe /b
          3⤵
            PID:4380
          • C:\Windows\system32\reg.exe
            reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\Interface" /f
            3⤵
            • Modifies registry class
            PID:3964
          • C:\Windows\system32\reg.exe
            reg delete "HKEY_CURRENT_USER\Software\AlanThinker" /f
            3⤵
              PID:3188
            • C:\Windows\system32\reg.exe
              reg add "HKEY_CURRENT_USER\Software\AlanThinker\Data\6" /v "isVideoPlayed" /t REG_SZ /d "True" /f
              3⤵
                PID:216
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
            1⤵
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            PID:2712

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/2712-131-0x0000016FDBBA0000-0x0000016FDBBB0000-memory.dmp

                  Filesize

                  64KB

                • memory/2712-138-0x0000016FDEF80000-0x0000016FDEF84000-memory.dmp

                  Filesize

                  16KB