Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 21:56
Static task
static1
Behavioral task
behavioral1
Sample
0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exe
Resource
win10v2004-20220414-en
General
-
Target
0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exe
-
Size
32KB
-
MD5
8b2046913245ac538271b9691210ca57
-
SHA1
437609ea4ce1f5d7e00fe55c8ec3b8e6ac3c8e55
-
SHA256
0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149
-
SHA512
0b3f1c9d9c970dc01d4ec05ae839b5d8f34a0b0118c17ae51d492bc65d7b4e13206947189da7a68a73c26ace69e3fa888dec8861482752be4f06d98436076238
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 728 server.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c8309bdb82116686a016a6d95c3b7f0.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c8309bdb82116686a016a6d95c3b7f0.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c8309bdb82116686a016a6d95c3b7f0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0c8309bdb82116686a016a6d95c3b7f0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exepid process 4652 0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exe 4652 0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exeserver.exedescription pid process Token: SeDebugPrivilege 4652 0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exe Token: SeDebugPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe Token: 33 728 server.exe Token: SeIncBasePriorityPrivilege 728 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exeserver.exedescription pid process target process PID 4652 wrote to memory of 728 4652 0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exe server.exe PID 4652 wrote to memory of 728 4652 0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exe server.exe PID 4652 wrote to memory of 728 4652 0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exe server.exe PID 728 wrote to memory of 1708 728 server.exe netsh.exe PID 728 wrote to memory of 1708 728 server.exe netsh.exe PID 728 wrote to memory of 1708 728 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exe"C:\Users\Admin\AppData\Local\Temp\0cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
32KB
MD58b2046913245ac538271b9691210ca57
SHA1437609ea4ce1f5d7e00fe55c8ec3b8e6ac3c8e55
SHA2560cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149
SHA5120b3f1c9d9c970dc01d4ec05ae839b5d8f34a0b0118c17ae51d492bc65d7b4e13206947189da7a68a73c26ace69e3fa888dec8861482752be4f06d98436076238
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
32KB
MD58b2046913245ac538271b9691210ca57
SHA1437609ea4ce1f5d7e00fe55c8ec3b8e6ac3c8e55
SHA2560cb3b41c1d5c11a3a15b323fae6449a61f67c9b50bc8d1c35d409c510a7d9149
SHA5120b3f1c9d9c970dc01d4ec05ae839b5d8f34a0b0118c17ae51d492bc65d7b4e13206947189da7a68a73c26ace69e3fa888dec8861482752be4f06d98436076238
-
memory/728-131-0x0000000000000000-mapping.dmp
-
memory/728-134-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB
-
memory/1708-135-0x0000000000000000-mapping.dmp
-
memory/4652-130-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB