Analysis
-
max time kernel
128s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 15:03
General
-
Target
409a345a063f2fc853b7b45c060970231d9fdc6b45344.exe
-
Size
1.2MB
-
MD5
c52e23f559f027c6af598ff0a4c3497d
-
SHA1
0e6de0682ae5d89a6530a6c6e03054f5aaeb0662
-
SHA256
409a345a063f2fc853b7b45c060970231d9fdc6b453444ae855b7fda4be50021
-
SHA512
802159c0fa6034dfc4278ee470aef46a52947006b007ae6a90391377d6c9b3774c999c30ab8d62a10869bf4d459736da4b70ce97d7771bf849effff7714e6428
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\409a345a063f2fc853b7b45c060970231d9fdc6b45344.exe"C:\Users\Admin\AppData\Local\Temp\409a345a063f2fc853b7b45c060970231d9fdc6b45344.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 202⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 203⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1544-131-0x0000000000000000-mapping.dmp
-
memory/2052-132-0x0000000000000000-mapping.dmp
-
memory/4116-138-0x0000000007840000-0x000000000787C000-memory.dmpFilesize
240KB
-
memory/4116-139-0x0000000007B70000-0x0000000007BD6000-memory.dmpFilesize
408KB
-
memory/4116-134-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4116-135-0x0000000007D60000-0x0000000008378000-memory.dmpFilesize
6.1MB
-
memory/4116-136-0x00000000077E0000-0x00000000077F2000-memory.dmpFilesize
72KB
-
memory/4116-137-0x0000000007910000-0x0000000007A1A000-memory.dmpFilesize
1.0MB
-
memory/4116-146-0x0000000009B90000-0x000000000A0BC000-memory.dmpFilesize
5.2MB
-
memory/4116-133-0x0000000000000000-mapping.dmp
-
memory/4116-140-0x0000000008940000-0x00000000089B6000-memory.dmpFilesize
472KB
-
memory/4116-141-0x0000000008A60000-0x0000000008AF2000-memory.dmpFilesize
584KB
-
memory/4116-142-0x00000000090B0000-0x0000000009654000-memory.dmpFilesize
5.6MB
-
memory/4116-143-0x0000000008C20000-0x0000000008C3E000-memory.dmpFilesize
120KB
-
memory/4116-144-0x0000000008D10000-0x0000000008D60000-memory.dmpFilesize
320KB
-
memory/4116-145-0x0000000007130000-0x00000000072F2000-memory.dmpFilesize
1.8MB
-
memory/4976-130-0x00000000004A0000-0x00000000005E4000-memory.dmpFilesize
1.3MB