Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-05-2022 07:38
Static task
static1
Behavioral task
behavioral1
Sample
38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe
Resource
win10v2004-20220414-en
General
-
Target
38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe
-
Size
296KB
-
MD5
f131c78521cec27b327b5aad011c5afc
-
SHA1
928777153a742a0bf934545f3bc1fbf37bf27d3f
-
SHA256
38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5
-
SHA512
8fbdbeeef3c72859f981b4620f2c604635c1527294de9d0027dc163d1bbdff77ceca6e83436a437deda345f88bbeb1152a8933a667cc9ef25230e58bdb056a57
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
htjdd.exepid process 4456 htjdd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe -
Drops startup file 1 IoCs
Processes:
htjdd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\htjdd.lnk htjdd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exehtjdd.exedescription pid process Token: SeDebugPrivilege 4252 38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe Token: SeDebugPrivilege 4456 htjdd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.execmd.exehtjdd.exedescription pid process target process PID 4252 wrote to memory of 2020 4252 38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe cmd.exe PID 4252 wrote to memory of 2020 4252 38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe cmd.exe PID 4252 wrote to memory of 2020 4252 38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe cmd.exe PID 4252 wrote to memory of 2084 4252 38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe cmd.exe PID 4252 wrote to memory of 2084 4252 38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe cmd.exe PID 4252 wrote to memory of 2084 4252 38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe cmd.exe PID 2084 wrote to memory of 4456 2084 cmd.exe htjdd.exe PID 2084 wrote to memory of 4456 2084 cmd.exe htjdd.exe PID 2084 wrote to memory of 4456 2084 cmd.exe htjdd.exe PID 4456 wrote to memory of 3104 4456 htjdd.exe svchost.exe PID 4456 wrote to memory of 3104 4456 htjdd.exe svchost.exe PID 4456 wrote to memory of 3104 4456 htjdd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe"C:\Users\Admin\AppData\Local\Temp\38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe" "C:\Users\Admin\htjdd.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\htjdd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\htjdd.exe"C:\Users\Admin\htjdd.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\htjdd.exeFilesize
296KB
MD5f131c78521cec27b327b5aad011c5afc
SHA1928777153a742a0bf934545f3bc1fbf37bf27d3f
SHA25638235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5
SHA5128fbdbeeef3c72859f981b4620f2c604635c1527294de9d0027dc163d1bbdff77ceca6e83436a437deda345f88bbeb1152a8933a667cc9ef25230e58bdb056a57
-
C:\Users\Admin\htjdd.exeFilesize
296KB
MD5f131c78521cec27b327b5aad011c5afc
SHA1928777153a742a0bf934545f3bc1fbf37bf27d3f
SHA25638235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5
SHA5128fbdbeeef3c72859f981b4620f2c604635c1527294de9d0027dc163d1bbdff77ceca6e83436a437deda345f88bbeb1152a8933a667cc9ef25230e58bdb056a57
-
memory/2020-135-0x0000000000000000-mapping.dmp
-
memory/2084-136-0x0000000000000000-mapping.dmp
-
memory/4252-130-0x0000000000E80000-0x0000000000ED0000-memory.dmpFilesize
320KB
-
memory/4252-131-0x0000000005950000-0x00000000059E2000-memory.dmpFilesize
584KB
-
memory/4252-132-0x0000000005FA0000-0x0000000006544000-memory.dmpFilesize
5.6MB
-
memory/4252-133-0x00000000059F0000-0x0000000005A34000-memory.dmpFilesize
272KB
-
memory/4252-134-0x00000000065C0000-0x0000000006626000-memory.dmpFilesize
408KB
-
memory/4456-137-0x0000000000000000-mapping.dmp