Analysis

  • max time kernel
    200s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    07/02/2022, 18:43

General

  • Target

    ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe

  • Size

    382KB

  • MD5

    0c9b30c85cb587a3c17f64ff2ce347c9

  • SHA1

    005cf3cfa64ecb1c5868fba1877993e38bebd13a

  • SHA256

    ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0

  • SHA512

    09ef2ac19691d53ee889b569ed3e3df364829ec2a1943c2d9c2e0c513d16f0f33aa17db2de86c26fcfebb4c2c140e2bb913bff850f6474d843ce94e0f38bc01b

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe
    "C:\Users\Admin\AppData\Local\Temp\ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6087.tmp\6098.bat C:\Users\Admin\AppData\Local\Temp\ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Users\Admin\AppData\Local\Temp\6087.tmp\2.exe
        2.exe
        3⤵
        • Executes dropped EXE
        PID:4768
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2324
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2488

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2324-145-0x0000023CAB3E0000-0x0000023CAB3E4000-memory.dmp

          Filesize

          16KB