30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745

Analysis

max time kernel
151s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-05-2022 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
Size

810KB
MD5

be75e9e51767b5a59536afbbf9ffafbc
SHA1

78be65d86a6918643092e8e90fd72ad3b9ab997f
SHA256

30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745
SHA512

4e9f7198dd12adeb21669f74e1cdebe16ac7ccae8e1f29b537438239d1a240a8f1ab890afebe8c1f8603909a1c72b8ce7e7c981f2147fa53dccc6c43b6a3d9e6

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata

Executes dropped EXE 1 IoCs

pid	Process
3392	test.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HGRAyZk0Y950ZeEUrPGcT36so = "C:\\ProgramData\\test\\test.exe"	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4012	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3804	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3392	test.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
Token: SeDebugPrivilege	3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
Token: SeDebugPrivilege	3392	test.exe
Token: SeDebugPrivilege	3392	test.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 4012	3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe	82
PID 3216 wrote to memory of 4012	3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe	82
PID 3216 wrote to memory of 3392	3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe	87
PID 3216 wrote to memory of 3392	3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe	87
PID 3216 wrote to memory of 3532	3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe	88
PID 3216 wrote to memory of 3532	3216	30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe	88
PID 3532 wrote to memory of 3804	3532	cmd.exe	90
PID 3532 wrote to memory of 3804	3532	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe
"C:\Users\Admin\AppData\Local\Temp\30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /create /tn HGRAyZk0Y950ZeEUrPGcT36so /tr "C:\ProgramData\test\test.exe" /st 16:41 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Creates scheduled task(s)
  PID:4012
- C:\ProgramData\test\test.exe
  "C:\ProgramData\test\test.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1B48.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:3804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\test\test.exe

Filesize
645.3MB

MD5
121b811776b17b4008ac167a374cfd25

SHA1
208a77d85263db9c36592a81276c5b8d3539720e

SHA256
40464a8cc9660498ca2c0ad59a23abd79eeb57c275975689cc7d86c8cc99329f

SHA512
2af53ba25499892f47ecd2f4da467491362287e00d6742423543c45b1a2c4a41c77e0cbc40ff77c718e00e33300778dc6ad4fccedf01aefa28514b2a4dd2459d

Download Submit
C:\ProgramData\test\test.exe

Filesize
645.3MB

MD5
121b811776b17b4008ac167a374cfd25

SHA1
208a77d85263db9c36592a81276c5b8d3539720e

SHA256
40464a8cc9660498ca2c0ad59a23abd79eeb57c275975689cc7d86c8cc99329f

SHA512
2af53ba25499892f47ecd2f4da467491362287e00d6742423543c45b1a2c4a41c77e0cbc40ff77c718e00e33300778dc6ad4fccedf01aefa28514b2a4dd2459d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B48.tmp.bat

Filesize
216B

MD5
0f78ae9a43da07008b3ebd76abd5e2ba

SHA1
c2c0e03e9dc74315c97888449788bcfd46e37b0e

SHA256
ae0f342dcb30ba0f50c66535997766dae32b6a815ed6eae0137ad309f3ad87f8

SHA512
3cd874f90d3eba9c13ad9345ca4b1a6fe09de48314ba306cd78572a47194a88acc07af95639dc9ff4bcb2839495aa0db4a8605de19215318d310ad4d28e157bd

Download Submit
memory/3216-130-0x0000000000180000-0x000000000024E000-memory.dmp

Filesize
824KB

Download
memory/3216-131-0x00007FFF951A0000-0x00007FFF95C61000-memory.dmp

Filesize
10.8MB

Download
memory/3392-137-0x00007FFF951A0000-0x00007FFF95C61000-memory.dmp

Filesize
10.8MB

Download