Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:28
Behavioral task
behavioral1
Sample
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
-
Size
658KB
-
MD5
6d6aceaf5c3f2d9c02d292c15e4ff3d6
-
SHA1
b92e13064b7693551963909d879f1e9eae57a021
-
SHA256
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3
-
SHA512
6a78c45f1dc631f77b2bc5f7e2bc3e7dc31c8aa81f46f549de035616f922c277dce75bf12a710d3be02731e87f649a5cbb36e08226e256a141bad91ba51cfbb9
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exedescription pid process Token: SeIncreaseQuotaPrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeSecurityPrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeTakeOwnershipPrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeLoadDriverPrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeSystemProfilePrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeSystemtimePrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeProfSingleProcessPrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeIncBasePriorityPrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeCreatePagefilePrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeBackupPrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeRestorePrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeShutdownPrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeDebugPrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeSystemEnvironmentPrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeChangeNotifyPrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeRemoteShutdownPrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeUndockPrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeManageVolumePrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeImpersonatePrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: SeCreateGlobalPrivilege 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: 33 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: 34 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: 35 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Token: 36 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exepid process 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.execmd.execmd.exedescription pid process target process PID 4556 wrote to memory of 3932 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe cmd.exe PID 4556 wrote to memory of 3932 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe cmd.exe PID 4556 wrote to memory of 3932 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe cmd.exe PID 4556 wrote to memory of 2456 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe cmd.exe PID 4556 wrote to memory of 2456 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe cmd.exe PID 4556 wrote to memory of 2456 4556 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe cmd.exe PID 3932 wrote to memory of 1280 3932 cmd.exe attrib.exe PID 3932 wrote to memory of 1280 3932 cmd.exe attrib.exe PID 3932 wrote to memory of 1280 3932 cmd.exe attrib.exe PID 2456 wrote to memory of 2436 2456 cmd.exe attrib.exe PID 2456 wrote to memory of 2436 2456 cmd.exe attrib.exe PID 2456 wrote to memory of 2436 2456 cmd.exe attrib.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1280 attrib.exe 2436 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe"C:\Users\Admin\AppData\Local\Temp\ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe"1⤵
- Modifies firewall policy service
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes