Analysis
-
max time kernel
200s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
07/02/2022, 18:43
Behavioral task
behavioral1
Sample
ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe
Resource
win10v2004-en-20220113
General
-
Target
ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe
-
Size
382KB
-
MD5
0c9b30c85cb587a3c17f64ff2ce347c9
-
SHA1
005cf3cfa64ecb1c5868fba1877993e38bebd13a
-
SHA256
ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0
-
SHA512
09ef2ac19691d53ee889b569ed3e3df364829ec2a1943c2d9c2e0c513d16f0f33aa17db2de86c26fcfebb4c2c140e2bb913bff850f6474d843ce94e0f38bc01b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4768 2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 54 IoCs
description pid Process Token: SeShutdownPrivilege 2324 svchost.exe Token: SeCreatePagefilePrivilege 2324 svchost.exe Token: SeShutdownPrivilege 2324 svchost.exe Token: SeCreatePagefilePrivilege 2324 svchost.exe Token: SeShutdownPrivilege 2324 svchost.exe Token: SeCreatePagefilePrivilege 2324 svchost.exe Token: SeSecurityPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeSecurityPrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeSecurityPrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeSecurityPrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeSecurityPrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeSecurityPrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeSecurityPrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeSecurityPrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeSecurityPrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeSecurityPrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeSecurityPrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeSecurityPrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeSecurityPrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeSecurityPrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeSecurityPrivilege 2488 TiWorker.exe Token: SeBackupPrivilege 2488 TiWorker.exe Token: SeRestorePrivilege 2488 TiWorker.exe Token: SeSecurityPrivilege 2488 TiWorker.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4872 wrote to memory of 928 4872 ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe 83 PID 4872 wrote to memory of 928 4872 ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe 83 PID 928 wrote to memory of 4768 928 cmd.exe 86 PID 928 wrote to memory of 4768 928 cmd.exe 86 PID 928 wrote to memory of 4768 928 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe"C:\Users\Admin\AppData\Local\Temp\ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6087.tmp\6098.bat C:\Users\Admin\AppData\Local\Temp\ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\6087.tmp\2.exe2.exe3⤵
- Executes dropped EXE
PID:4768
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2488