Analysis
-
max time kernel
182s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-02-2022 09:01
Static task
static1
Behavioral task
behavioral1
Sample
2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe
Resource
win10v2004-en-20220113
General
-
Target
2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe
-
Size
193KB
-
MD5
cfb761465693bd4511f038d8e468e62e
-
SHA1
c8d64b3d2208a3cf40f4d9c182c9829beaa1eb86
-
SHA256
2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912
-
SHA512
2622751f9f5ab89287a1d88c9f027a7117549fcd0280f104a598c7953713d32e6ce5adfdd26abec709e1c848b8bc9f50e5226185721a22d2b3573d2d0264d36c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
asvyDmo.exepid process 4556 asvyDmo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exeasvyDmo.exepid process 1604 2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe 1604 2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe 1604 2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe 1604 2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe 4556 asvyDmo.exe 4556 asvyDmo.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exeasvyDmo.exedescription pid process Token: SeBackupPrivilege 1604 2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe Token: SeBackupPrivilege 4556 asvyDmo.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exenet.exenet.exedescription pid process target process PID 1604 wrote to memory of 4556 1604 2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe asvyDmo.exe PID 1604 wrote to memory of 4556 1604 2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe asvyDmo.exe PID 1604 wrote to memory of 4556 1604 2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe asvyDmo.exe PID 1604 wrote to memory of 4700 1604 2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe net.exe PID 1604 wrote to memory of 4700 1604 2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe net.exe PID 1604 wrote to memory of 4700 1604 2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe net.exe PID 4700 wrote to memory of 1144 4700 net.exe net1.exe PID 4700 wrote to memory of 1144 4700 net.exe net1.exe PID 4700 wrote to memory of 1144 4700 net.exe net1.exe PID 1604 wrote to memory of 4956 1604 2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe net.exe PID 1604 wrote to memory of 4956 1604 2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe net.exe PID 1604 wrote to memory of 4956 1604 2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe net.exe PID 4956 wrote to memory of 4012 4956 net.exe net1.exe PID 4956 wrote to memory of 4012 4956 net.exe net1.exe PID 4956 wrote to memory of 4012 4956 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe"C:\Users\Admin\AppData\Local\Temp\2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asvyDmo.exe"C:\Users\Admin\AppData\Local\Temp\asvyDmo.exe" 8 LAN2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04fMD5
93a5aadeec082ffc1bca5aa27af70f52
SHA147a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45
-
C:\Users\Admin\AppData\Local\Temp\asvyDmo.exeMD5
cfb761465693bd4511f038d8e468e62e
SHA1c8d64b3d2208a3cf40f4d9c182c9829beaa1eb86
SHA2562a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912
SHA5122622751f9f5ab89287a1d88c9f027a7117549fcd0280f104a598c7953713d32e6ce5adfdd26abec709e1c848b8bc9f50e5226185721a22d2b3573d2d0264d36c
-
C:\Users\Admin\AppData\Local\Temp\asvyDmo.exeMD5
cfb761465693bd4511f038d8e468e62e
SHA1c8d64b3d2208a3cf40f4d9c182c9829beaa1eb86
SHA2562a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912
SHA5122622751f9f5ab89287a1d88c9f027a7117549fcd0280f104a598c7953713d32e6ce5adfdd26abec709e1c848b8bc9f50e5226185721a22d2b3573d2d0264d36c