Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:32
Static task
static1
Behavioral task
behavioral1
Sample
air way bill.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
air way bill.exe
Resource
win10v2004-20220414-en
General
-
Target
air way bill.exe
-
Size
861KB
-
MD5
c9e0dc9c74c3782c0319ed1ce090287d
-
SHA1
9fabc323f888b25b7005d2f793ac941c9091f0f3
-
SHA256
b2169a0b14394b89cad7d3d4092b1a3e940c4504f9e7d982ebbcfd0b8c603530
-
SHA512
8d13fa2d64d7a5fcb6e57ec014b18e469092ab122a6850dffbe37afc7d752f5c80a50b4cfa171194cf1e96614c0c9c3de50978c9a26f50805b5a016c436180d5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
air way bill.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation air way bill.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
air way bill.exedescription pid process target process PID 2068 set thread context of 4624 2068 air way bill.exe air way bill.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
air way bill.exeair way bill.exepowershell.exepid process 2068 air way bill.exe 2068 air way bill.exe 2068 air way bill.exe 4624 air way bill.exe 4624 air way bill.exe 4340 powershell.exe 4340 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
air way bill.exeair way bill.exepowershell.exedescription pid process Token: SeDebugPrivilege 2068 air way bill.exe Token: SeDebugPrivilege 4624 air way bill.exe Token: SeDebugPrivilege 4340 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
air way bill.exeair way bill.execmd.exedescription pid process target process PID 2068 wrote to memory of 3368 2068 air way bill.exe schtasks.exe PID 2068 wrote to memory of 3368 2068 air way bill.exe schtasks.exe PID 2068 wrote to memory of 3368 2068 air way bill.exe schtasks.exe PID 2068 wrote to memory of 4624 2068 air way bill.exe air way bill.exe PID 2068 wrote to memory of 4624 2068 air way bill.exe air way bill.exe PID 2068 wrote to memory of 4624 2068 air way bill.exe air way bill.exe PID 2068 wrote to memory of 4624 2068 air way bill.exe air way bill.exe PID 2068 wrote to memory of 4624 2068 air way bill.exe air way bill.exe PID 2068 wrote to memory of 4624 2068 air way bill.exe air way bill.exe PID 2068 wrote to memory of 4624 2068 air way bill.exe air way bill.exe PID 2068 wrote to memory of 4624 2068 air way bill.exe air way bill.exe PID 4624 wrote to memory of 64 4624 air way bill.exe cmd.exe PID 4624 wrote to memory of 64 4624 air way bill.exe cmd.exe PID 4624 wrote to memory of 64 4624 air way bill.exe cmd.exe PID 64 wrote to memory of 4340 64 cmd.exe powershell.exe PID 64 wrote to memory of 4340 64 cmd.exe powershell.exe PID 64 wrote to memory of 4340 64 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\air way bill.exe"C:\Users\Admin\AppData\Local\Temp\air way bill.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJcljmyFlZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3DC4.tmp"2⤵
- Creates scheduled task(s)
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\air way bill.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\air way bill.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\air way bill.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
1KB
MD57068756774f92259a6f4d07c12e869bb
SHA17ff512fb7e34b959ab00a67b556e4e0bf57ced45
SHA256a8efebff223b9bcd7fe0a197eb598df5db6d673e9a420ac030bd3a5b55e913f3
SHA512eb4b667a3223514c779f8f38c14cfce8c6520fdd359ab23f1e224891c3ddb2f6076408254125cc88c495ffa2ee6047f299e2fd73ead3fced2a0a87ef78effe19