Analysis
-
max time kernel
158s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
09-03-2022 17:50
Static task
static1
Behavioral task
behavioral1
Sample
77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe
Resource
win10v2004-en-20220112
General
-
Target
77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe
-
Size
539KB
-
MD5
c6f6dbd9cc541857159b379ed0b52e9a
-
SHA1
9fb25d597eae11b3867e8dd532d536872197782e
-
SHA256
77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb
-
SHA512
10fa08450a72c59dbb9c18d5ffd8eb156b75e6b67f487fa02765bab7a05e781f028d068f08c823d2a2fd3fd5ce6e06dc48be9f4f3005996ac6ee636be6ed9e52
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Desktop.exenjCrypted.exepid process 2036 Desktop.exe 1564 njCrypted.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exeDesktop.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation Desktop.exe -
Drops startup file 2 IoCs
Processes:
njCrypted.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe njCrypted.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe njCrypted.exe -
Loads dropped DLL 2 IoCs
Processes:
njCrypted.exepid process 1564 njCrypted.exe 1564 njCrypted.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
njCrypted.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\njCrypted.exe\" .." njCrypted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\njCrypted.exe\" .." njCrypted.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
njCrypted.exepid process 1564 njCrypted.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
njCrypted.exedescription pid process Token: SeDebugPrivilege 1564 njCrypted.exe Token: 33 1564 njCrypted.exe Token: SeIncBasePriorityPrivilege 1564 njCrypted.exe Token: 33 1564 njCrypted.exe Token: SeIncBasePriorityPrivilege 1564 njCrypted.exe Token: 33 1564 njCrypted.exe Token: SeIncBasePriorityPrivilege 1564 njCrypted.exe Token: 33 1564 njCrypted.exe Token: SeIncBasePriorityPrivilege 1564 njCrypted.exe Token: 33 1564 njCrypted.exe Token: SeIncBasePriorityPrivilege 1564 njCrypted.exe Token: 33 1564 njCrypted.exe Token: SeIncBasePriorityPrivilege 1564 njCrypted.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.execmd.exeDesktop.exedescription pid process target process PID 2544 wrote to memory of 3664 2544 77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe cmd.exe PID 2544 wrote to memory of 3664 2544 77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe cmd.exe PID 2544 wrote to memory of 3664 2544 77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe cmd.exe PID 3664 wrote to memory of 2036 3664 cmd.exe Desktop.exe PID 3664 wrote to memory of 2036 3664 cmd.exe Desktop.exe PID 3664 wrote to memory of 2036 3664 cmd.exe Desktop.exe PID 2036 wrote to memory of 1564 2036 Desktop.exe njCrypted.exe PID 2036 wrote to memory of 1564 2036 Desktop.exe njCrypted.exe PID 2036 wrote to memory of 1564 2036 Desktop.exe njCrypted.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe"C:\Users\Admin\AppData\Local\Temp\77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Run.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Desktop.exeDesktop.exe -p1233⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\njCrypted.exe"C:\Users\Admin\AppData\Local\Temp\njCrypted.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 01⤵
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Desktop.exeMD5
8bb1f98c7477ad78f791fdd456fe2379
SHA1247056c9eb9741bb383bf056371e0634c94d6e01
SHA25652c33bcf87e73c6a9c7845a1e6402c3ac092e846735cba1e02f8ef21476abd6c
SHA5128129a02dcf88a20a94ad174455de28c7b66aa89a4e15e79253d5b52b5c2db26c1ae93405d140aef067ece48ff2bc3dd7747b6d91d7411606962ee3d4b8ecc420
-
C:\Users\Admin\AppData\Local\Temp\Desktop.exeMD5
8bb1f98c7477ad78f791fdd456fe2379
SHA1247056c9eb9741bb383bf056371e0634c94d6e01
SHA25652c33bcf87e73c6a9c7845a1e6402c3ac092e846735cba1e02f8ef21476abd6c
SHA5128129a02dcf88a20a94ad174455de28c7b66aa89a4e15e79253d5b52b5c2db26c1ae93405d140aef067ece48ff2bc3dd7747b6d91d7411606962ee3d4b8ecc420
-
C:\Users\Admin\AppData\Local\Temp\EntryPoint.dllMD5
1a7b936836035d21ebd2294f574b6eea
SHA1d0e1ff21f91ec7bc9c57899c051c6c9c98b9cfef
SHA25652b168751f25a4c68ff6cac2035a8554e35a609eca4f70831592ab02a1fa8ba2
SHA5125ff43920f0936171252364b5347049941cae7232e80b43b53e1908933fcfb9aefa8141b8f7d00b7a21f42c90e803780bdfc2ddb7182e9017b5294aa8e0ccfe71
-
C:\Users\Admin\AppData\Local\Temp\EntryPoint.dllMD5
1a7b936836035d21ebd2294f574b6eea
SHA1d0e1ff21f91ec7bc9c57899c051c6c9c98b9cfef
SHA25652b168751f25a4c68ff6cac2035a8554e35a609eca4f70831592ab02a1fa8ba2
SHA5125ff43920f0936171252364b5347049941cae7232e80b43b53e1908933fcfb9aefa8141b8f7d00b7a21f42c90e803780bdfc2ddb7182e9017b5294aa8e0ccfe71
-
C:\Users\Admin\AppData\Local\Temp\EntryPoint.dllMD5
1a7b936836035d21ebd2294f574b6eea
SHA1d0e1ff21f91ec7bc9c57899c051c6c9c98b9cfef
SHA25652b168751f25a4c68ff6cac2035a8554e35a609eca4f70831592ab02a1fa8ba2
SHA5125ff43920f0936171252364b5347049941cae7232e80b43b53e1908933fcfb9aefa8141b8f7d00b7a21f42c90e803780bdfc2ddb7182e9017b5294aa8e0ccfe71
-
C:\Users\Admin\AppData\Local\Temp\Run.batMD5
33aac93bbfac6285ee2343af52e67951
SHA1b878552b521d0b8f0031b07749221b6d310217d3
SHA256d81716d88ad01dd36b74fe8b6fbf194f108e8e05f136a5e3e82b68764c414d8f
SHA51258a7bd40077d4442e79ecc9cb9295cfea3ff9333ff906c6c7a512872ee168acbec7c358213036f2404073cc1bf4b07ec18c454047d47b320f94e528272bdf90f
-
C:\Users\Admin\AppData\Local\Temp\njCrypted.exeMD5
6038ae65dfbd99b83ff4d7b85cb29d3d
SHA14b44d8ba4d51222af49f1e700857715094b9faa8
SHA25646819d84fca655adff31af8b787177fa0d31a8cba30a5cf75f8e7f32a9c95946
SHA512cb7c048f163bbf266afb2c53972a965b2e548e178315178afe85b89508a11cc6f9605f67674fe7efde7aab1b05e66ce22915e7f0dc2c5350b46879f4dfcfb715
-
C:\Users\Admin\AppData\Local\Temp\njCrypted.exeMD5
6038ae65dfbd99b83ff4d7b85cb29d3d
SHA14b44d8ba4d51222af49f1e700857715094b9faa8
SHA25646819d84fca655adff31af8b787177fa0d31a8cba30a5cf75f8e7f32a9c95946
SHA512cb7c048f163bbf266afb2c53972a965b2e548e178315178afe85b89508a11cc6f9605f67674fe7efde7aab1b05e66ce22915e7f0dc2c5350b46879f4dfcfb715
-
memory/1564-137-0x0000000004E80000-0x0000000004F1C000-memory.dmpFilesize
624KB
-
memory/1564-136-0x0000000000500000-0x0000000000512000-memory.dmpFilesize
72KB
-
memory/1564-135-0x00000000746D0000-0x0000000074E80000-memory.dmpFilesize
7.7MB
-
memory/1564-141-0x0000000004DD0000-0x0000000004DE0000-memory.dmpFilesize
64KB
-
memory/1564-142-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/1564-143-0x0000000005B50000-0x00000000060F4000-memory.dmpFilesize
5.6MB
-
memory/1564-144-0x0000000000EA0000-0x0000000000F32000-memory.dmpFilesize
584KB
-
memory/1564-145-0x0000000000F90000-0x0000000000F9A000-memory.dmpFilesize
40KB