Analysis
-
max time kernel
113s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
Resource
win10v2004-20220414-en
General
-
Target
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
-
Size
235KB
-
MD5
2b68b4ac5925dc134631ff4555c5aea5
-
SHA1
ed0112fa289ed48c5b541eec39fd1554ae08ab9f
-
SHA256
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39
-
SHA512
77ce92481066a3a6efd68055b5551562d8997900d65f9b888cd6d3a485aac459b46c0aab2407828e73c28bdcec9bfd2d2ad0933109d9584ed1ee06fb02601803
Malware Config
Signatures
-
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe" 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 404 4524 WerFault.exe 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exepowershell.exepid process 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 2504 powershell.exe 2504 powershell.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exepowershell.exedescription pid process Token: SeDebugPrivilege 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe Token: SeDebugPrivilege 2504 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exepid process 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.execmd.exedescription pid process target process PID 4524 wrote to memory of 2504 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe powershell.exe PID 4524 wrote to memory of 2504 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe powershell.exe PID 4524 wrote to memory of 4588 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe cmd.exe PID 4524 wrote to memory of 4588 4524 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe cmd.exe PID 4588 wrote to memory of 1112 4588 cmd.exe PING.EXE PID 4588 wrote to memory of 1112 4588 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe"C:\Users\Admin\AppData\Local\Temp\00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 5 -w 50003⤵
- Runs ping.exe
PID:1112
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4524 -s 36562⤵
- Program crash
PID:404
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 4524 -ip 45241⤵PID:2584