Analysis
-
max time kernel
91s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:38
Behavioral task
behavioral1
Sample
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Resource
win10v2004-20220414-en
General
-
Target
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
-
Size
251KB
-
MD5
dfa5a24fcaf54c7a0281e86994eba56b
-
SHA1
bb3a4e20e147f646c560b95c645f0ac813ab8ef7
-
SHA256
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf
-
SHA512
efc1e5843f4145563599cf94a983013d986b7bf1f5acb188ab8e9a67e18129c447ad510fe03294ad10924690c79196bbc912acc158e898337880336d36fa1ea6
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\Java" 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\Java" 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exedescription pid process Token: SeIncreaseQuotaPrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeSecurityPrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeTakeOwnershipPrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeLoadDriverPrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeSystemProfilePrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeSystemtimePrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeProfSingleProcessPrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeIncBasePriorityPrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeCreatePagefilePrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeBackupPrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeRestorePrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeShutdownPrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeDebugPrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeSystemEnvironmentPrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeChangeNotifyPrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeRemoteShutdownPrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeUndockPrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeManageVolumePrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeImpersonatePrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: SeCreateGlobalPrivilege 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: 33 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: 34 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: 35 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe Token: 36 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.execmd.execmd.exedescription pid process target process PID 4796 wrote to memory of 4052 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe cmd.exe PID 4796 wrote to memory of 4052 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe cmd.exe PID 4796 wrote to memory of 4052 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe cmd.exe PID 4796 wrote to memory of 1268 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe cmd.exe PID 4796 wrote to memory of 1268 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe cmd.exe PID 4796 wrote to memory of 1268 4796 8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe cmd.exe PID 4052 wrote to memory of 4120 4052 cmd.exe attrib.exe PID 4052 wrote to memory of 4120 4052 cmd.exe attrib.exe PID 4052 wrote to memory of 4120 4052 cmd.exe attrib.exe PID 1268 wrote to memory of 4860 1268 cmd.exe attrib.exe PID 1268 wrote to memory of 4860 1268 cmd.exe attrib.exe PID 1268 wrote to memory of 4860 1268 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4120 attrib.exe 4860 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe"C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes