Analysis
-
max time kernel
201s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-04-2022 13:53
Static task
static1
Behavioral task
behavioral1
Sample
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe
Resource
win10v2004-20220414-en
General
-
Target
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe
-
Size
3.7MB
-
MD5
50f94e792afda30fe1c485c2d733ddae
-
SHA1
5acb6535b97021f32220fb4ec2c68bb3019ec55b
-
SHA256
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302
-
SHA512
2f5cdd6c589289e1e35cc50fc449c6419a81f724e65770d9bb2aca5f42472476a06de522e7a9f29d6e6dd52ff49fac355a058f9971ef3ee4b3c274ebd4de8834
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\bAPSHbkkGXm778Nx\\bd2za1clTfqT.exe\",explorer.exe" e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe -
Executes dropped EXE 3 IoCs
Processes:
B8sKIHOgV2jUK8al.exeB8sKIHOgV2jUK8al.exeB8sKIHOgV2jUK8al.exepid process 2916 B8sKIHOgV2jUK8al.exe 4968 B8sKIHOgV2jUK8al.exe 4136 B8sKIHOgV2jUK8al.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
B8sKIHOgV2jUK8al.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 B8sKIHOgV2jUK8al.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString B8sKIHOgV2jUK8al.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
B8sKIHOgV2jUK8al.exepid process 4968 B8sKIHOgV2jUK8al.exe 4968 B8sKIHOgV2jUK8al.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exedescription pid process Token: SeDebugPrivilege 2968 e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
B8sKIHOgV2jUK8al.exepid process 4136 B8sKIHOgV2jUK8al.exe 4136 B8sKIHOgV2jUK8al.exe 4136 B8sKIHOgV2jUK8al.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
B8sKIHOgV2jUK8al.exepid process 4136 B8sKIHOgV2jUK8al.exe 4136 B8sKIHOgV2jUK8al.exe 4136 B8sKIHOgV2jUK8al.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exeB8sKIHOgV2jUK8al.exedescription pid process target process PID 2968 wrote to memory of 2916 2968 e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe B8sKIHOgV2jUK8al.exe PID 2968 wrote to memory of 2916 2968 e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe B8sKIHOgV2jUK8al.exe PID 2968 wrote to memory of 2916 2968 e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe B8sKIHOgV2jUK8al.exe PID 2916 wrote to memory of 4968 2916 B8sKIHOgV2jUK8al.exe B8sKIHOgV2jUK8al.exe PID 2916 wrote to memory of 4968 2916 B8sKIHOgV2jUK8al.exe B8sKIHOgV2jUK8al.exe PID 2916 wrote to memory of 4968 2916 B8sKIHOgV2jUK8al.exe B8sKIHOgV2jUK8al.exe PID 2916 wrote to memory of 4136 2916 B8sKIHOgV2jUK8al.exe B8sKIHOgV2jUK8al.exe PID 2916 wrote to memory of 4136 2916 B8sKIHOgV2jUK8al.exe B8sKIHOgV2jUK8al.exe PID 2916 wrote to memory of 4136 2916 B8sKIHOgV2jUK8al.exe B8sKIHOgV2jUK8al.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe"C:\Users\Admin\AppData\Local\Temp\e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe"C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe"C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe" --local-service3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe"C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exe" --local-control3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exeFilesize
3.5MB
MD5e9fb13875b744fa633d1a7a34b0f6a52
SHA1f0966985745541ba01800aa213509a89a7fdf716
SHA256fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
SHA512c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292
-
C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exeFilesize
3.5MB
MD5e9fb13875b744fa633d1a7a34b0f6a52
SHA1f0966985745541ba01800aa213509a89a7fdf716
SHA256fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
SHA512c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292
-
C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exeFilesize
3.5MB
MD5e9fb13875b744fa633d1a7a34b0f6a52
SHA1f0966985745541ba01800aa213509a89a7fdf716
SHA256fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
SHA512c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292
-
C:\Users\Admin\AppData\Local\Temp\B8sKIHOgV2jUK8al.exeFilesize
3.5MB
MD5e9fb13875b744fa633d1a7a34b0f6a52
SHA1f0966985745541ba01800aa213509a89a7fdf716
SHA256fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
SHA512c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
7KB
MD587b880fded5866f4cbd13a957b2cc042
SHA117273cd4f43bd51fdc759bf5e0ea1ca30cccc22f
SHA25607f917a3ed3fa66fba3d56f54eadbffd1977aa0abe4c0dbd1736c5f488771a01
SHA51271565e17c7290fe1a5e51fbeb88fb01e3a11b8c0c97ce6f3e2aa08e256f95ea1727ad50cf8eee05b3206e53ae781c172d2872c23f72c4c6d1102d7c3cdef6950
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
8KB
MD54252d6b9cf1e4167bc7d6224a1fc8b1d
SHA186a382dc871f946bd3d8e34d11a985b3a387fc96
SHA256b613757b59cd6fb7d05346d1b72d1db9efae67eee1bff0d4744a6616ddbc3cd0
SHA5123d9ac9c6ed0e0699d460efe804776cf12d1c3126c3f40ec21fd4220c474a2ee59403233753580ac08d0ae4ef98325ab03d5d77ef1dfada210d22d77ccf7e93a9
-
C:\Users\Admin\AppData\Roaming\AnyDesk\service.confFilesize
2KB
MD5dc44c0d3acca5dda701705f29b6fa396
SHA1268ed08ab8d64c638d4f7e5f7fe47b74ddd42d79
SHA25644191ce5c944fdcb65f6dc610d24a7f64f574531aa0fa9ae783827f893ef42e0
SHA5125006b007059db8ddca313605b15afa96a99a113c9416e8ae10735f7378bf2c8817ebff37b11b5318527274df1b9525032bdd5308a71f6b36b0e0ebd5029ee581
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
105B
MD52821f44709d619234bf06a39d4fdbf9b
SHA1fe10d1428b41a6810f45e8ae3e8b06f5986e1996
SHA256828ded024f01f9c8fec896e91790e689f524bb7d37c7cf97147e44f273adb759
SHA512c8a10a2fb8da7f130c46eba97a2ed4cdb7e28923dffe8168c7b6f84e99650638f9c10d224ce12df20b643e20b4249290e1618ba63d8ba87bde13353c708d53cb
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
113B
MD5ffd38000d16c2dbac41a90fcbcb2c4d0
SHA144a5ba0fed8aa0614107e47823a6d3bb2fa1846a
SHA256436affe25e583303713f6bad3d79bad62141090e6bc78f05c6a1caffc8960fa5
SHA512883b4047a3cc6772a62b1b2c5460ae8684e670882481e22b8c34cb741d3705c61167f7ec73582ed6bfe3155bb6822b12d0bc687cafc156640122c232b1d2f027
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
205B
MD559352c2b0c590c5fd96365d3168d723b
SHA153ab571639cc3e3a38032c1095985f7f4278d8fc
SHA256079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286
SHA5122d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828
-
memory/2916-135-0x0000000000000000-mapping.dmp
-
memory/2916-137-0x0000000000620000-0x0000000001395000-memory.dmpFilesize
13.5MB
-
memory/2916-139-0x0000000000620000-0x0000000001395000-memory.dmpFilesize
13.5MB
-
memory/2968-133-0x0000000005310000-0x000000000531A000-memory.dmpFilesize
40KB
-
memory/2968-134-0x0000000005330000-0x00000000058D4000-memory.dmpFilesize
5.6MB
-
memory/2968-131-0x00000000058E0000-0x0000000005E84000-memory.dmpFilesize
5.6MB
-
memory/2968-132-0x0000000005260000-0x00000000052F2000-memory.dmpFilesize
584KB
-
memory/2968-130-0x0000000000510000-0x00000000008C6000-memory.dmpFilesize
3.7MB
-
memory/4136-143-0x0000000000000000-mapping.dmp
-
memory/4136-146-0x0000000000620000-0x0000000001395000-memory.dmpFilesize
13.5MB
-
memory/4136-153-0x0000000000620000-0x0000000001395000-memory.dmpFilesize
13.5MB
-
memory/4968-145-0x0000000000620000-0x0000000001395000-memory.dmpFilesize
13.5MB
-
memory/4968-152-0x0000000000620000-0x0000000001395000-memory.dmpFilesize
13.5MB
-
memory/4968-141-0x0000000000000000-mapping.dmp