Analysis
-
max time kernel
152s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:49
Static task
static1
Behavioral task
behavioral1
Sample
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe
Resource
win10v2004-20220414-en
General
-
Target
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe
-
Size
181KB
-
MD5
33caaaa642770f60f9298e627ac2a70e
-
SHA1
b79349e8ef626045d86d3d099d4ad6cf58d6c7c0
-
SHA256
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f
-
SHA512
4aaf1835f7909672d8356e7b4bbb06391be57030d98fd3e9bbe3bed42720dd001d8c32a64f1e197156d0365551ab3004ee1e01554f5bbf99b246f9d06fed3d64
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2028 server.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\db7cacf80649a64239b0e12870c9e1a0.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\db7cacf80649a64239b0e12870c9e1a0.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\db7cacf80649a64239b0e12870c9e1a0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\db7cacf80649a64239b0e12870c9e1a0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exepid process 3360 767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe 3360 767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exeserver.exedescription pid process Token: SeDebugPrivilege 3360 767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe Token: SeDebugPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exeserver.exedescription pid process target process PID 3360 wrote to memory of 2028 3360 767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe server.exe PID 3360 wrote to memory of 2028 3360 767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe server.exe PID 3360 wrote to memory of 2028 3360 767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe server.exe PID 2028 wrote to memory of 4100 2028 server.exe netsh.exe PID 2028 wrote to memory of 4100 2028 server.exe netsh.exe PID 2028 wrote to memory of 4100 2028 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe"C:\Users\Admin\AppData\Local\Temp\767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
181KB
MD533caaaa642770f60f9298e627ac2a70e
SHA1b79349e8ef626045d86d3d099d4ad6cf58d6c7c0
SHA256767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f
SHA5124aaf1835f7909672d8356e7b4bbb06391be57030d98fd3e9bbe3bed42720dd001d8c32a64f1e197156d0365551ab3004ee1e01554f5bbf99b246f9d06fed3d64
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
181KB
MD533caaaa642770f60f9298e627ac2a70e
SHA1b79349e8ef626045d86d3d099d4ad6cf58d6c7c0
SHA256767a2c2cdb3e34333727a4594d345d55da89528d0219bf8e9a2b01567ad0045f
SHA5124aaf1835f7909672d8356e7b4bbb06391be57030d98fd3e9bbe3bed42720dd001d8c32a64f1e197156d0365551ab3004ee1e01554f5bbf99b246f9d06fed3d64
-
memory/2028-131-0x0000000000000000-mapping.dmp
-
memory/2028-134-0x00000000754D0000-0x0000000075A81000-memory.dmpFilesize
5.7MB
-
memory/3360-130-0x00000000754D0000-0x0000000075A81000-memory.dmpFilesize
5.7MB
-
memory/4100-135-0x0000000000000000-mapping.dmp