Analysis
-
max time kernel
153s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:00
Static task
static1
Behavioral task
behavioral1
Sample
52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe
Resource
win10v2004-20220414-en
General
-
Target
52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe
-
Size
118KB
-
MD5
9fea48280651d7daede8ff94fddcc39c
-
SHA1
ec94b5bc9bdd7e910b7c49992c52daf69f387891
-
SHA256
52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41
-
SHA512
02d19421ed966cece01d187ab5e8d4a5fcb17b4d4042457c668d40a958e2053bd70525661639da3fb3b02352586bd78edb29f0774653040d96051d0055899298
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Internet Explorer.exepid process 2904 Internet Explorer.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
Internet Explorer.exepid process 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe 2904 Internet Explorer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Internet Explorer.exedescription pid process Token: SeDebugPrivilege 2904 Internet Explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exeInternet Explorer.exedescription pid process target process PID 1572 wrote to memory of 2904 1572 52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe Internet Explorer.exe PID 1572 wrote to memory of 2904 1572 52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe Internet Explorer.exe PID 1572 wrote to memory of 2904 1572 52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe Internet Explorer.exe PID 2904 wrote to memory of 3788 2904 Internet Explorer.exe netsh.exe PID 2904 wrote to memory of 3788 2904 Internet Explorer.exe netsh.exe PID 2904 wrote to memory of 3788 2904 Internet Explorer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe"C:\Users\Admin\AppData\Local\Temp\52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Internet Explorer.exe"C:\Users\Admin\AppData\Roaming\Internet Explorer.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Internet Explorer.exe" "Internet Explorer.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Internet Explorer.exeFilesize
118KB
MD59fea48280651d7daede8ff94fddcc39c
SHA1ec94b5bc9bdd7e910b7c49992c52daf69f387891
SHA25652f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41
SHA51202d19421ed966cece01d187ab5e8d4a5fcb17b4d4042457c668d40a958e2053bd70525661639da3fb3b02352586bd78edb29f0774653040d96051d0055899298
-
C:\Users\Admin\AppData\Roaming\Internet Explorer.exeFilesize
118KB
MD59fea48280651d7daede8ff94fddcc39c
SHA1ec94b5bc9bdd7e910b7c49992c52daf69f387891
SHA25652f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41
SHA51202d19421ed966cece01d187ab5e8d4a5fcb17b4d4042457c668d40a958e2053bd70525661639da3fb3b02352586bd78edb29f0774653040d96051d0055899298
-
memory/1572-130-0x00000000748F0000-0x0000000074EA1000-memory.dmpFilesize
5.7MB
-
memory/2904-131-0x0000000000000000-mapping.dmp
-
memory/2904-135-0x00000000748F0000-0x0000000074EA1000-memory.dmpFilesize
5.7MB
-
memory/3788-134-0x0000000000000000-mapping.dmp