Analysis
-
max time kernel
25s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-02-2022 01:38
Static task
static1
Behavioral task
behavioral1
Sample
d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
Resource
win10v2004-en-20220113
General
-
Target
d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
-
Size
203KB
-
MD5
1204f4881b1b67007e74e3129ae74992
-
SHA1
1a184b8e44c447140300946287300b8f382654ac
-
SHA256
d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b
-
SHA512
c87ef11347596e0969309568a92f138810eb13b46378ce5c2321597d2b006d65165d711ebb9a3372d3396c730ce7c552a0b54562e873ddba8513590316458e47
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
PYddFde.exepid process 2576 PYddFde.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exepid process 1964 d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe 1964 d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe 1964 d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe 1964 d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exedescription pid process Token: SeDebugPrivilege 1964 d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exedescription pid process target process PID 1964 wrote to memory of 2576 1964 d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe PYddFde.exe PID 1964 wrote to memory of 2576 1964 d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe PYddFde.exe PID 1964 wrote to memory of 2312 1964 d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe sihost.exe PID 1964 wrote to memory of 2340 1964 d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe svchost.exe PID 1964 wrote to memory of 2424 1964 d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe taskhostw.exe PID 1964 wrote to memory of 3156 1964 d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe svchost.exe PID 1964 wrote to memory of 3368 1964 d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe DllHost.exe
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe"C:\Users\Admin\AppData\Local\Temp\d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PYddFde.exe"C:\Users\Admin\AppData\Local\Temp\PYddFde.exe" 8 LAN2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PYddFde.exeMD5
1204f4881b1b67007e74e3129ae74992
SHA11a184b8e44c447140300946287300b8f382654ac
SHA256d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b
SHA512c87ef11347596e0969309568a92f138810eb13b46378ce5c2321597d2b006d65165d711ebb9a3372d3396c730ce7c552a0b54562e873ddba8513590316458e47
-
C:\Users\Admin\AppData\Local\Temp\PYddFde.exeMD5
1204f4881b1b67007e74e3129ae74992
SHA11a184b8e44c447140300946287300b8f382654ac
SHA256d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b
SHA512c87ef11347596e0969309568a92f138810eb13b46378ce5c2321597d2b006d65165d711ebb9a3372d3396c730ce7c552a0b54562e873ddba8513590316458e47
-
memory/2312-132-0x00007FF6E3240000-0x00007FF6E33B5000-memory.dmpFilesize
1.5MB
-
memory/2340-133-0x00007FF6E3240000-0x00007FF6E33B5000-memory.dmpFilesize
1.5MB