e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-05-2022 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff72b295ded9889cee24320db368bcf1.exe
Size

809KB
MD5

ff72b295ded9889cee24320db368bcf1
SHA1

5d7991f8495d56088710dd558faba639ffd05292
SHA256

e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd
SHA512

37ab209741e90c78565d170ab48d7ee83c8633e93e646a4c8f639c305c8b6528841668b6aa7797870612d24e11e1ff1aaae0f5622e9a2195957f9142e93a7b1b

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata

Executes dropped EXE 1 IoCs

pid	Process
3924	IFMb39aGmCsqJcthXwNQEToq7.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	ff72b295ded9889cee24320db368bcf1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TxMT8hHkO8fBB5FlBurdwljpn = "C:\\ProgramData\\4vFAHkNczECIXuLdvBZKuXofw\\IFMb39aGmCsqJcthXwNQEToq7.exe"	ff72b295ded9889cee24320db368bcf1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1324	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3540	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3924	IFMb39aGmCsqJcthXwNQEToq7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe
3076	ff72b295ded9889cee24320db368bcf1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	ff72b295ded9889cee24320db368bcf1.exe
Token: SeDebugPrivilege	3076	ff72b295ded9889cee24320db368bcf1.exe
Token: SeDebugPrivilege	3924	IFMb39aGmCsqJcthXwNQEToq7.exe
Token: SeDebugPrivilege	3924	IFMb39aGmCsqJcthXwNQEToq7.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 1324	3076	ff72b295ded9889cee24320db368bcf1.exe	82
PID 3076 wrote to memory of 1324	3076	ff72b295ded9889cee24320db368bcf1.exe	82
PID 3076 wrote to memory of 3924	3076	ff72b295ded9889cee24320db368bcf1.exe	88
PID 3076 wrote to memory of 3924	3076	ff72b295ded9889cee24320db368bcf1.exe	88
PID 3076 wrote to memory of 3632	3076	ff72b295ded9889cee24320db368bcf1.exe	89
PID 3076 wrote to memory of 3632	3076	ff72b295ded9889cee24320db368bcf1.exe	89
PID 3632 wrote to memory of 3540	3632	cmd.exe	91
PID 3632 wrote to memory of 3540	3632	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\ff72b295ded9889cee24320db368bcf1.exe
"C:\Users\Admin\AppData\Local\Temp\ff72b295ded9889cee24320db368bcf1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /create /tn TxMT8hHkO8fBB5FlBurdwljpn /tr "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe" /st 00:22 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Creates scheduled task(s)
  PID:1324
- C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe
  "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:3924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD844.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:3540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
645.3MB

MD5
0e730ffebb34f3c232c640174ff7f9b6

SHA1
90ac388d5c502999da0c2cc5f82281f7519adce2

SHA256
ae6b5c03dadd619b590f53d1495697cd85fa3351cdb4a0e353696ff85d0bbc35

SHA512
6beaab45ef6564d8cd6d6a678079a35a7bdfc334659bff6c2f296c794d96c9440cb47288548cf1b89c78e0463ac40dd11d90e168ae643c9557c61dc72fe27096

Download Submit
C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
645.3MB

MD5
0e730ffebb34f3c232c640174ff7f9b6

SHA1
90ac388d5c502999da0c2cc5f82281f7519adce2

SHA256
ae6b5c03dadd619b590f53d1495697cd85fa3351cdb4a0e353696ff85d0bbc35

SHA512
6beaab45ef6564d8cd6d6a678079a35a7bdfc334659bff6c2f296c794d96c9440cb47288548cf1b89c78e0463ac40dd11d90e168ae643c9557c61dc72fe27096

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD844.tmp.bat

Filesize
184B

MD5
cfeca88ff32d95ddceaf3b80ffdf55c9

SHA1
d0c9d6c26476cc3eb927c4551406651223240f0d

SHA256
9b593cf5219ce17863022d77869a11a59286059dc4538457562eb2410031e257

SHA512
25a362d6689d70eec0e20dad7ea24a4b876b3ecd3c224001d893e2815d1249c0f9066f3f09e5a95276d33db0b4174ff5e077197d3f443df0b0a1ab9e3c03550d

Download Submit
memory/3076-130-0x0000000000FB0000-0x000000000107E000-memory.dmp

Filesize
824KB

Download
memory/3076-131-0x00007FFB12A40000-0x00007FFB13501000-memory.dmp

Filesize
10.8MB

Download
memory/3924-139-0x00007FFB12A40000-0x00007FFB13501000-memory.dmp

Filesize
10.8MB

Download
memory/3924-140-0x00000000016CA000-0x00000000016CF000-memory.dmp

Filesize
20KB

Download