e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-05-2022 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff72b295ded9889cee24320db368bcf1.exe
Size

809KB
MD5

ff72b295ded9889cee24320db368bcf1
SHA1

5d7991f8495d56088710dd558faba639ffd05292
SHA256

e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd
SHA512

37ab209741e90c78565d170ab48d7ee83c8633e93e646a4c8f639c305c8b6528841668b6aa7797870612d24e11e1ff1aaae0f5622e9a2195957f9142e93a7b1b

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata

Executes dropped EXE 2 IoCs

pid	Process
548	IFMb39aGmCsqJcthXwNQEToq7.exe
5904	WlaOrzbfdk.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WlaOrzbfdk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WlaOrzbfdk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	ff72b295ded9889cee24320db368bcf1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TxMT8hHkO8fBB5FlBurdwljpn = "C:\\ProgramData\\4vFAHkNczECIXuLdvBZKuXofw\\IFMb39aGmCsqJcthXwNQEToq7.exe"	ff72b295ded9889cee24320db368bcf1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
884	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2492	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
548	IFMb39aGmCsqJcthXwNQEToq7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe
4068	ff72b295ded9889cee24320db368bcf1.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
668	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	ff72b295ded9889cee24320db368bcf1.exe
Token: SeDebugPrivilege	4068	ff72b295ded9889cee24320db368bcf1.exe
Token: SeDebugPrivilege	548	IFMb39aGmCsqJcthXwNQEToq7.exe
Token: SeDebugPrivilege	548	IFMb39aGmCsqJcthXwNQEToq7.exe
Token: SeLockMemoryPrivilege	5904	WlaOrzbfdk.exe
Token: SeLockMemoryPrivilege	5904	WlaOrzbfdk.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5904	WlaOrzbfdk.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 884	4068	ff72b295ded9889cee24320db368bcf1.exe	83
PID 4068 wrote to memory of 884	4068	ff72b295ded9889cee24320db368bcf1.exe	83
PID 4068 wrote to memory of 548	4068	ff72b295ded9889cee24320db368bcf1.exe	88
PID 4068 wrote to memory of 548	4068	ff72b295ded9889cee24320db368bcf1.exe	88
PID 4068 wrote to memory of 2348	4068	ff72b295ded9889cee24320db368bcf1.exe	89
PID 4068 wrote to memory of 2348	4068	ff72b295ded9889cee24320db368bcf1.exe	89
PID 2348 wrote to memory of 2492	2348	cmd.exe	91
PID 2348 wrote to memory of 2492	2348	cmd.exe	91
PID 548 wrote to memory of 5904	548	IFMb39aGmCsqJcthXwNQEToq7.exe	95
PID 548 wrote to memory of 5904	548	IFMb39aGmCsqJcthXwNQEToq7.exe	95

C:\Users\Admin\AppData\Local\Temp\ff72b295ded9889cee24320db368bcf1.exe
"C:\Users\Admin\AppData\Local\Temp\ff72b295ded9889cee24320db368bcf1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /create /tn TxMT8hHkO8fBB5FlBurdwljpn /tr "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe" /st 00:18 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Creates scheduled task(s)
  PID:884
- C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe
  "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\ProgramData\8125412A8A\MOxnfkG4eOfW0IpCi6MLrNgpm6qVgIEfhV3XOHL2\WlaOrzbfdk.exe
    "C:\ProgramData\8125412A8A\MOxnfkG4eOfW0IpCi6MLrNgpm6qVgIEfhV3XOHL2\WlaOrzbfdk.exe" --url xmr.hashcity.org:4444 --user first1805.8125412A8A --pass x --title Service --cpu-max-threads-hint=70 --donate-level 0
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:5904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA5F9.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:2492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
520.0MB

MD5
f1d20988b8c185ed3cb4476a8d6cbf5f

SHA1
12ba27d6d0962616ee5ad0c5ebe0be950bc8d0af

SHA256
0d7fa79285da64985fccf4519582bccaba97f4befac7e40758c5063fcd02033a

SHA512
166efdb8876d4c4faad2fd8e3c11840a23f4d40c7d87a4e1d74c452820d937eeeea0d1e6fbcdbb1ee053138dcecf2b77ad933a4b7f0f84541c0ca85a1f50d440

Download Submit
C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
517.8MB

MD5
21746de6a989d4047c03e1d71119372e

SHA1
a1b093d17369706cded858b2ac87b56d1435cd14

SHA256
5a62989f162feea56ed19464b39d7d5c5c849e397728a25aae67fd99879992b1

SHA512
99d584faddee2be13c1af5fb3f185f6d869537347cffd5531e24f499322fa51f2c60daac2e685dc6f1870d5859248d14632473ea24a92fa8ba13387a6c175df2

Download Submit
C:\ProgramData\8125412A8A\MOxnfkG4eOfW0IpCi6MLrNgpm6qVgIEfhV3XOHL2\WlaOrzbfdk.exe

Filesize
21.9MB

MD5
7a0b6ff6dd4f76c8c696c5c35487db0a

SHA1
9d8319b0bfbd8356bf08bde124a955d4490a3632

SHA256
7d722f96dad1f545aefaab52e3dd6192f9e79fd9bd2631b58f98dfe7f6ca9761

SHA512
b8cf91ab2ba9d766e5ea02509dcafbee3e363bfe647b8ac2b2e1c91e844b1f629a348fa69e93a5b991dd97bd8759435a8f02e0e9a5018e4e39e08af090d64ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA5F9.tmp.bat

Filesize
184B

MD5
f910fcfde0f23523339c1fedacd66506

SHA1
2199431534d22e44db1fb66587cb79c5f2e6442c

SHA256
5c2ff910efca65a9c94577ba52c8f8dc4df12e51ab041a422be4ceb954729a89

SHA512
fcded8e20818bb85d5010d7c426502f97622ea7e24ad821a926ec5a6e781761cd3e384ce804d701d7ad0f50a70f8d3faa62d27da3e73d2b14b6f21cee2332c24

Download Submit
memory/548-139-0x00007FFE09260000-0x00007FFE09D21000-memory.dmp

Filesize
10.8MB

Download
memory/548-140-0x000000001C5BA000-0x000000001C5BF000-memory.dmp

Filesize
20KB

Download
memory/4068-130-0x0000000000790000-0x000000000085E000-memory.dmp

Filesize
824KB

Download
memory/4068-131-0x00007FFE09260000-0x00007FFE09D21000-memory.dmp

Filesize
10.8MB

Download
memory/5904-143-0x00000000019A0000-0x00000000019C0000-memory.dmp

Filesize
128KB

Download
memory/5904-144-0x00007FFE26FB0000-0x00007FFE271A5000-memory.dmp

Filesize
2.0MB

Download
memory/5904-145-0x0000000001A20000-0x0000000001A60000-memory.dmp

Filesize
256KB

Download