Analysis
-
max time kernel
126s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:47
Static task
static1
Behavioral task
behavioral1
Sample
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
Resource
win10v2004-20220414-en
General
-
Target
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
-
Size
3.3MB
-
MD5
2630e21380cd389caa9a31e5b7113ab0
-
SHA1
67dd9f56bb740893b075afcf6572d645e2e31c8d
-
SHA256
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2
-
SHA512
68cc1da89814aa666dab9f57b6414ad2bc3e75659886b9718e2261d6098aa109dbe7a2809956497da11fffe305943511a13e27b96bd364719d4469a04f10ea84
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exedescription ioc process File opened for modification \??\PhysicalDrive0 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4532 taskkill.exe -
Processes:
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe = "11001" eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 4532 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exepid process 312 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe 312 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.execmd.exedescription pid process target process PID 312 wrote to memory of 3608 312 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe cmd.exe PID 312 wrote to memory of 3608 312 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe cmd.exe PID 312 wrote to memory of 3608 312 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe cmd.exe PID 3608 wrote to memory of 4532 3608 cmd.exe taskkill.exe PID 3608 wrote to memory of 4532 3608 cmd.exe taskkill.exe PID 3608 wrote to memory of 4532 3608 cmd.exe taskkill.exe PID 3608 wrote to memory of 4484 3608 cmd.exe PING.EXE PID 3608 wrote to memory of 4484 3608 cmd.exe PING.EXE PID 3608 wrote to memory of 4484 3608 cmd.exe PING.EXE PID 3608 wrote to memory of 4436 3608 cmd.exe PING.EXE PID 3608 wrote to memory of 4436 3608 cmd.exe PING.EXE PID 3608 wrote to memory of 4436 3608 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe"C:\Users\Admin\AppData\Local\Temp\eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe"1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /PID 312 /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 2 -l 13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 2 -l 13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\update.batFilesize
639B
MD5458d06d9dc263d28b2cd366400d46bbc
SHA12e7595dda159320928aaa3094cdeefaab5396bba
SHA256254fb511a58dc9333311526de7e48814485a13bf831c7e13c3a84f6763d450e9
SHA512f966a4902cdf3ea3c91943c61a5267d76974e97e61ac076d566ddaf8d66a4cdc2da194b15c8b48ef60b8d8285e7775c92d582066cc94bf03f3528570150621f5
-
memory/3608-130-0x0000000000000000-mapping.dmp
-
memory/4436-134-0x0000000000000000-mapping.dmp
-
memory/4484-133-0x0000000000000000-mapping.dmp
-
memory/4532-132-0x0000000000000000-mapping.dmp