Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 00:56
Static task
static1
Behavioral task
behavioral1
Sample
6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe
Resource
win10v2004-20220414-en
General
-
Target
6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe
-
Size
82KB
-
MD5
6e6667b71a86780268828232d4363f63
-
SHA1
e6f6cb0f70c628c797d2e79717cc331c8f5d3f76
-
SHA256
6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef
-
SHA512
6400e6e56d5b163050f96d96cb82ad53960efb518760b7c99e7b62886a45d40f1aa914bd872a83fbdc9d0049bcb4ef084ff9027d6affb2cd1363382c6e193395
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
NetFramework.exepid process 1216 NetFramework.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exeNetFramework.exedescription pid process Token: SeDebugPrivilege 3144 6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe Token: SeDebugPrivilege 1216 NetFramework.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exedescription pid process target process PID 3144 wrote to memory of 1216 3144 6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe NetFramework.exe PID 3144 wrote to memory of 1216 3144 6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe NetFramework.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe"C:\Users\Admin\AppData\Local\Temp\6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NetFramework.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NetFramework.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NetFramework.exeFilesize
82KB
MD56e6667b71a86780268828232d4363f63
SHA1e6f6cb0f70c628c797d2e79717cc331c8f5d3f76
SHA2566f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef
SHA5126400e6e56d5b163050f96d96cb82ad53960efb518760b7c99e7b62886a45d40f1aa914bd872a83fbdc9d0049bcb4ef084ff9027d6affb2cd1363382c6e193395
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NetFramework.exeFilesize
82KB
MD56e6667b71a86780268828232d4363f63
SHA1e6f6cb0f70c628c797d2e79717cc331c8f5d3f76
SHA2566f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef
SHA5126400e6e56d5b163050f96d96cb82ad53960efb518760b7c99e7b62886a45d40f1aa914bd872a83fbdc9d0049bcb4ef084ff9027d6affb2cd1363382c6e193395
-
memory/1216-132-0x0000000000000000-mapping.dmp
-
memory/1216-135-0x00007FFC79F30000-0x00007FFC7A9F1000-memory.dmpFilesize
10.8MB
-
memory/3144-130-0x000001C92F070000-0x000001C92F08C000-memory.dmpFilesize
112KB
-
memory/3144-131-0x00007FFC79F30000-0x00007FFC7A9F1000-memory.dmpFilesize
10.8MB