001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
16-05-2022 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe
Size

1.1MB
MD5

517572f5a978bee6c537f4cca48e2cbe
SHA1

686d6a30d18c92b800b9737ba917df4959081fee
SHA256

001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc
SHA512

28eafec1ff1e423b4abd9ab1c2134822e1472710b73d15a5fcaf634a37cb3bcc9a6cb614d989a89bf18fc141429873d9db28aac11cc0d92372fbaeff9547e50e

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe

description	pid	process	target process
PID 3180 set thread context of 4092	3180	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

840 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

924 powershell.exe
924 powershell.exe

pid	process
840	schtasks.exe

pid	process
924	powershell.exe
924	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3180	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe
Token: SeDebugPrivilege	4092	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe
Token: SeDebugPrivilege	924	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.execmd.exe

description	pid	process	target process
PID 3180 wrote to memory of 840	3180	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe	schtasks.exe
PID 3180 wrote to memory of 840	3180	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe	schtasks.exe
PID 3180 wrote to memory of 840	3180	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe	schtasks.exe
PID 3180 wrote to memory of 4092	3180	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe
PID 3180 wrote to memory of 4092	3180	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe
PID 3180 wrote to memory of 4092	3180	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe
PID 3180 wrote to memory of 4092	3180	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe
PID 3180 wrote to memory of 4092	3180	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe
PID 3180 wrote to memory of 4092	3180	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe
PID 3180 wrote to memory of 4092	3180	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe
PID 3180 wrote to memory of 4092	3180	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe
PID 4092 wrote to memory of 3180	4092	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe	cmd.exe
PID 4092 wrote to memory of 3180	4092	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe	cmd.exe
PID 4092 wrote to memory of 3180	4092	001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe	cmd.exe
PID 3180 wrote to memory of 924	3180	cmd.exe	powershell.exe
PID 3180 wrote to memory of 924	3180	cmd.exe	powershell.exe
PID 3180 wrote to memory of 924	3180	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe
"C:\Users\Admin\AppData\Local\Temp\001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ShPhySCdL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4362.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:840
- C:\Users\Admin\AppData\Local\Temp\001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\001b14d21f1f99aae9ae6b365482be3cd75568e33a8af6aba36d148129ac19dc.exe.log

Filesize
1KB

MD5
400f1cc1a0a0ce1cdabda365ab3368ce

SHA1
1ecf683f14271d84f3b6063493dce00ff5f42075

SHA256
c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

SHA512
14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4362.tmp

Filesize
1KB

MD5
47a72e728278580a4bbb6b07c7af9521

SHA1
b56ff3ea7fbe4431da03f729de777d202434968d

SHA256
8231563cd8ee63c7e4d275366d40d4ac0aa4b8aa67f655a154f935b069fa5b61

SHA512
9ead66fd40ef2def2fa8d5af5203c4e3455722d0c779746bccfe0ed0c7196f4ef261fec26ecf93e52dfce6ee8319656934a9526b17b90d2b93f79ca25c59bb24

Download Submit
memory/840-135-0x0000000000000000-mapping.dmp

Download
memory/924-650-0x00000000057B0000-0x0000000005DD8000-memory.dmp

Filesize
6.2MB

Download
memory/924-648-0x0000000000000000-mapping.dmp

Download
memory/924-649-0x0000000002C20000-0x0000000002C56000-memory.dmp

Filesize
216KB

Download
memory/924-654-0x0000000007DC0000-0x000000000843A000-memory.dmp

Filesize
6.5MB

Download
memory/924-651-0x0000000005DE0000-0x0000000005E02000-memory.dmp

Filesize
136KB

Download
memory/924-652-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/924-653-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/924-657-0x0000000006B40000-0x0000000006B62000-memory.dmp

Filesize
136KB

Download
memory/924-656-0x00000000077E0000-0x0000000007876000-memory.dmp

Filesize
600KB

Download
memory/924-655-0x0000000006A50000-0x0000000006A6A000-memory.dmp

Filesize
104KB

Download
memory/3180-130-0x0000000000930000-0x0000000000A4A000-memory.dmp

Filesize
1.1MB

Download
memory/3180-646-0x0000000000000000-mapping.dmp

Download
memory/3180-134-0x00000000057D0000-0x000000000586C000-memory.dmp

Filesize
624KB

Download
memory/3180-133-0x000000000ABB0000-0x000000000ABBA000-memory.dmp

Filesize
40KB

Download
memory/3180-132-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/3180-131-0x000000000B070000-0x000000000B614000-memory.dmp

Filesize
5.6MB

Download
memory/4092-168-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-188-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-158-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-160-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-162-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-164-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-166-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-154-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-170-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-172-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-174-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-176-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-178-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-180-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-182-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-184-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-186-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-156-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-190-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-192-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-194-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-196-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-152-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-150-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-148-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-146-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-144-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-142-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-140-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-138-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-137-0x0000000000000000-mapping.dmp

Download
memory/4092-198-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-200-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4092-645-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download