Analysis
-
max time kernel
160s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
29-03-2022 22:11
Static task
static1
Behavioral task
behavioral1
Sample
8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b.exe
Resource
win10v2004-en-20220113
General
-
Target
8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b.exe
-
Size
140KB
-
MD5
cb88e2a5631c6ef481af0803950c5e00
-
SHA1
f99b8bf66f2629e313e04e8a4cce7a69758fa647
-
SHA256
8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b
-
SHA512
9ba281c90ed85b65cfb9cdddb82d7b3e65403fd8869bd15cc65bbe8dbb82bcab2084517e6698942864b8ad018a13666622a90fd2ad97e6ef60ff8993d9da5fb5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2272 server.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0d122dd52a6e1fabf394b30dede2ed0a.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0d122dd52a6e1fabf394b30dede2ed0a.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0d122dd52a6e1fabf394b30dede2ed0a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0d122dd52a6e1fabf394b30dede2ed0a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe 2272 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 2272 server.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2272 server.exe Token: 33 2272 server.exe Token: SeIncBasePriorityPrivilege 2272 server.exe Token: 33 2272 server.exe Token: SeIncBasePriorityPrivilege 2272 server.exe Token: 33 2272 server.exe Token: SeIncBasePriorityPrivilege 2272 server.exe Token: 33 2272 server.exe Token: SeIncBasePriorityPrivilege 2272 server.exe Token: 33 2272 server.exe Token: SeIncBasePriorityPrivilege 2272 server.exe Token: 33 2272 server.exe Token: SeIncBasePriorityPrivilege 2272 server.exe Token: 33 2272 server.exe Token: SeIncBasePriorityPrivilege 2272 server.exe Token: 33 2272 server.exe Token: SeIncBasePriorityPrivilege 2272 server.exe Token: 33 2272 server.exe Token: SeIncBasePriorityPrivilege 2272 server.exe Token: 33 2272 server.exe Token: SeIncBasePriorityPrivilege 2272 server.exe Token: 33 2272 server.exe Token: SeIncBasePriorityPrivilege 2272 server.exe Token: 33 2272 server.exe Token: SeIncBasePriorityPrivilege 2272 server.exe Token: 33 2272 server.exe Token: SeIncBasePriorityPrivilege 2272 server.exe Token: 33 2272 server.exe Token: SeIncBasePriorityPrivilege 2272 server.exe Token: 33 2272 server.exe Token: SeIncBasePriorityPrivilege 2272 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b.exeserver.exedescription pid process target process PID 1016 wrote to memory of 2272 1016 8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b.exe server.exe PID 1016 wrote to memory of 2272 1016 8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b.exe server.exe PID 1016 wrote to memory of 2272 1016 8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b.exe server.exe PID 2272 wrote to memory of 4108 2272 server.exe netsh.exe PID 2272 wrote to memory of 4108 2272 server.exe netsh.exe PID 2272 wrote to memory of 4108 2272 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b.exe"C:\Users\Admin\AppData\Local\Temp\8f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
140KB
MD5cb88e2a5631c6ef481af0803950c5e00
SHA1f99b8bf66f2629e313e04e8a4cce7a69758fa647
SHA2568f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b
SHA5129ba281c90ed85b65cfb9cdddb82d7b3e65403fd8869bd15cc65bbe8dbb82bcab2084517e6698942864b8ad018a13666622a90fd2ad97e6ef60ff8993d9da5fb5
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
140KB
MD5cb88e2a5631c6ef481af0803950c5e00
SHA1f99b8bf66f2629e313e04e8a4cce7a69758fa647
SHA2568f504845a4bca5527b3e3d283140d250e7c98effb4ab2811377d8240407fb24b
SHA5129ba281c90ed85b65cfb9cdddb82d7b3e65403fd8869bd15cc65bbe8dbb82bcab2084517e6698942864b8ad018a13666622a90fd2ad97e6ef60ff8993d9da5fb5
-
memory/1016-130-0x0000000000710000-0x000000000073C000-memory.dmpFilesize
176KB
-
memory/1016-131-0x0000000005070000-0x000000000510C000-memory.dmpFilesize
624KB
-
memory/1016-132-0x00000000056E0000-0x0000000005C84000-memory.dmpFilesize
5.6MB
-
memory/1016-133-0x00000000051D0000-0x0000000005262000-memory.dmpFilesize
584KB
-
memory/1016-134-0x0000000005180000-0x000000000518A000-memory.dmpFilesize
40KB
-
memory/1016-135-0x0000000005320000-0x0000000005376000-memory.dmpFilesize
344KB
-
memory/2272-136-0x0000000000000000-mapping.dmp
-
memory/4108-139-0x0000000000000000-mapping.dmp