Analysis

  • max time kernel
    151s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    08/02/2022, 17:30

General

  • Target

    b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe

  • Size

    3.0MB

  • MD5

    18d677163ec5b5be2f78051cd465f13f

  • SHA1

    a9ece82cb71de649fec043b19567b07258d3a8bf

  • SHA256

    b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5

  • SHA512

    6c6b9bba0782e57dc799f1fedc8f2f0b4a5117701348fa5f94fd32820b963dc03cef8bb161dd012336c13468be9d73010f8d9ebd10ad72814b7b7f75d9ff58bb

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe
    "C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\975B.tmp\975C.bat C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3392
      • C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe
        3.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:2244
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2984
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2760

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2984-133-0x000002341F620000-0x000002341F630000-memory.dmp

          Filesize

          64KB

        • memory/2984-134-0x000002341F680000-0x000002341F690000-memory.dmp

          Filesize

          64KB

        • memory/2984-135-0x0000023421D40000-0x0000023421D44000-memory.dmp

          Filesize

          16KB