Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
30-03-2022 02:40
Static task
static1
Behavioral task
behavioral1
Sample
2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe
Resource
win10v2004-20220331-en
General
-
Target
2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe
-
Size
101KB
-
MD5
73fa54775bec045e8c86793ec7c00dc2
-
SHA1
5a204c087e9fb1a3426ac4adaa1b38b5aa87bba9
-
SHA256
2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5
-
SHA512
e319f2f7c19cfefd5d4ee97f07692b00e85de2c47b0e7ce9b97fe3c2ed1270a1059089d1135ac315d8df23e34f828674f630948ec2dc1b9998071cfcdf7cb91e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2204 server.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation 2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0d122dd52a6e1fabf394b30dede2ed0a.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0d122dd52a6e1fabf394b30dede2ed0a.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0d122dd52a6e1fabf394b30dede2ed0a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0d122dd52a6e1fabf394b30dede2ed0a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe 2204 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 2204 server.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe Token: 33 2204 server.exe Token: SeIncBasePriorityPrivilege 2204 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exeserver.exedescription pid process target process PID 1808 wrote to memory of 2204 1808 2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe server.exe PID 1808 wrote to memory of 2204 1808 2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe server.exe PID 1808 wrote to memory of 2204 1808 2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe server.exe PID 2204 wrote to memory of 2552 2204 server.exe netsh.exe PID 2204 wrote to memory of 2552 2204 server.exe netsh.exe PID 2204 wrote to memory of 2552 2204 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe"C:\Users\Admin\AppData\Local\Temp\2df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
101KB
MD573fa54775bec045e8c86793ec7c00dc2
SHA15a204c087e9fb1a3426ac4adaa1b38b5aa87bba9
SHA2562df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5
SHA512e319f2f7c19cfefd5d4ee97f07692b00e85de2c47b0e7ce9b97fe3c2ed1270a1059089d1135ac315d8df23e34f828674f630948ec2dc1b9998071cfcdf7cb91e
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
101KB
MD573fa54775bec045e8c86793ec7c00dc2
SHA15a204c087e9fb1a3426ac4adaa1b38b5aa87bba9
SHA2562df505b37c492a622e2b5175beeb6a6248b69c5183960fd0464d7f82b7ef02f5
SHA512e319f2f7c19cfefd5d4ee97f07692b00e85de2c47b0e7ce9b97fe3c2ed1270a1059089d1135ac315d8df23e34f828674f630948ec2dc1b9998071cfcdf7cb91e
-
memory/1808-124-0x00000000007E0000-0x0000000000802000-memory.dmpFilesize
136KB
-
memory/1808-125-0x000000000A8E0000-0x000000000A97C000-memory.dmpFilesize
624KB
-
memory/1808-126-0x000000000AF30000-0x000000000B4D4000-memory.dmpFilesize
5.6MB
-
memory/2204-127-0x0000000000000000-mapping.dmp
-
memory/2204-131-0x000000000AB00000-0x000000000AB92000-memory.dmpFilesize
584KB
-
memory/2204-132-0x000000000AAB0000-0x000000000AABA000-memory.dmpFilesize
40KB
-
memory/2552-130-0x0000000000000000-mapping.dmp