Analysis
-
max time kernel
189s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:22
Static task
static1
Behavioral task
behavioral1
Sample
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe
Resource
win10v2004-20220414-en
General
-
Target
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe
-
Size
32KB
-
MD5
f895f2c00c328e2d2a7bce695c63020f
-
SHA1
6eea1cbe833845785c800348b5293ff6a1b8cb7a
-
SHA256
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181
-
SHA512
3f351e7f3943c64c1e99eb03c92af8243589b2ff661b4fbf5f1a91af2db257c3209ac71014027ce5663e48e4b9d8c03ae29cf87bbd2d3fa5ee9289572cd0904e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2564 server.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a684bb567bad75f3e8c3ee386f57b056.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a684bb567bad75f3e8c3ee386f57b056.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a684bb567bad75f3e8c3ee386f57b056 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a684bb567bad75f3e8c3ee386f57b056 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exepid process 3568 a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe 3568 a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exeserver.exedescription pid process Token: SeDebugPrivilege 3568 a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe Token: SeDebugPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe Token: 33 2564 server.exe Token: SeIncBasePriorityPrivilege 2564 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exeserver.exedescription pid process target process PID 3568 wrote to memory of 2564 3568 a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe server.exe PID 3568 wrote to memory of 2564 3568 a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe server.exe PID 3568 wrote to memory of 2564 3568 a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe server.exe PID 2564 wrote to memory of 3812 2564 server.exe netsh.exe PID 2564 wrote to memory of 3812 2564 server.exe netsh.exe PID 2564 wrote to memory of 3812 2564 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe"C:\Users\Admin\AppData\Local\Temp\a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
32KB
MD5f895f2c00c328e2d2a7bce695c63020f
SHA16eea1cbe833845785c800348b5293ff6a1b8cb7a
SHA256a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181
SHA5123f351e7f3943c64c1e99eb03c92af8243589b2ff661b4fbf5f1a91af2db257c3209ac71014027ce5663e48e4b9d8c03ae29cf87bbd2d3fa5ee9289572cd0904e
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
32KB
MD5f895f2c00c328e2d2a7bce695c63020f
SHA16eea1cbe833845785c800348b5293ff6a1b8cb7a
SHA256a4106262cdaf3660f6825e88667e2970a48e897060f65f789f36db3fb7517181
SHA5123f351e7f3943c64c1e99eb03c92af8243589b2ff661b4fbf5f1a91af2db257c3209ac71014027ce5663e48e4b9d8c03ae29cf87bbd2d3fa5ee9289572cd0904e
-
memory/2564-131-0x0000000000000000-mapping.dmp
-
memory/2564-134-0x00000000746B0000-0x0000000074C61000-memory.dmpFilesize
5.7MB
-
memory/3568-130-0x00000000746B0000-0x0000000074C61000-memory.dmpFilesize
5.7MB
-
memory/3812-135-0x0000000000000000-mapping.dmp