Analysis

  • max time kernel
    111s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 15:38

General

  • Target

    261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe

  • Size

    578KB

  • MD5

    d74c5e0c9d288faa8b3df90a42f1ed67

  • SHA1

    ffb778ad8b96a78da8660af132ed2e7b67131ecc

  • SHA256

    261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da

  • SHA512

    979510f36159a6444e155fb3f26a2e4f436fbde624149974d6f8dadb202d9958d0e68a9a1f5eaeeece61c817ef21fc8e3475b7dde48d8cbeb470b94268683621

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe
    "C:\Users\Admin\AppData\Local\Temp\261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:324
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sources\usbsetup.cmd" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4396
      • C:\Users\Admin\AppData\Local\Temp\sources\MBRWiz.exe
        mbrwiz /vol=C: /active /confirm
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Writes to the Master Boot Record (MBR)
        • Checks SCSI registry key(s)
        PID:2164
      • C:\Users\Admin\AppData\Local\Temp\sources\bootsect.exe
        bootsect /nt60 C:
        3⤵
        • Executes dropped EXE
        PID:4116

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\sources\MBRWiz.exe

    Filesize

    209KB

    MD5

    8750f91801c31fb3636f9ce127d26ae0

    SHA1

    f5d610da75ad0718ab226b8e7c1eefa0738edc8f

    SHA256

    bd77f4b7fd8fc1cc39fa82d823b7664f57ff4197763c2d57fb9c28c6c1f9c8aa

    SHA512

    cd575ace9887a90e180aa8089d8fe168367b906b5b28b8269944dcb873769b345277ad351cead98202da83f66eacadfe29921d188df8b33b13fbbf51ffe5842d

  • C:\Users\Admin\AppData\Local\Temp\sources\MBRWiz.exe

    Filesize

    209KB

    MD5

    8750f91801c31fb3636f9ce127d26ae0

    SHA1

    f5d610da75ad0718ab226b8e7c1eefa0738edc8f

    SHA256

    bd77f4b7fd8fc1cc39fa82d823b7664f57ff4197763c2d57fb9c28c6c1f9c8aa

    SHA512

    cd575ace9887a90e180aa8089d8fe168367b906b5b28b8269944dcb873769b345277ad351cead98202da83f66eacadfe29921d188df8b33b13fbbf51ffe5842d

  • C:\Users\Admin\AppData\Local\Temp\sources\bootsect.exe

    Filesize

    95KB

    MD5

    748e3755d83e56206f810be3626c88b2

    SHA1

    886c338a07430db91345210c00c0722de4885588

    SHA256

    33d3a70c9bbf9796a0b0575023b758f495135c14cfec0140d692d27fe2255c19

    SHA512

    5b8eb0a0fe2c69dede77ea6f8e43fcd1d894d88ea1913d70d8b45ca75d9b80d46f49af25cd9f6e2914f94ef64c9b4d309e9173addc83d46f84814532856c7560

  • C:\Users\Admin\AppData\Local\Temp\sources\bootsect.exe

    Filesize

    95KB

    MD5

    748e3755d83e56206f810be3626c88b2

    SHA1

    886c338a07430db91345210c00c0722de4885588

    SHA256

    33d3a70c9bbf9796a0b0575023b758f495135c14cfec0140d692d27fe2255c19

    SHA512

    5b8eb0a0fe2c69dede77ea6f8e43fcd1d894d88ea1913d70d8b45ca75d9b80d46f49af25cd9f6e2914f94ef64c9b4d309e9173addc83d46f84814532856c7560

  • C:\Users\Admin\AppData\Local\Temp\sources\usbsetup.cmd

    Filesize

    91B

    MD5

    2721ea31c2c1cb23943487485e856f15

    SHA1

    16fd43ada69c4ebf07cb2fbd73d29effcda69aaa

    SHA256

    2918322c28413b3fe901a356608067d8ceb4195d9cb95a110eeb78d1d1d72fb4

    SHA512

    a20e571cfd419826e4b4aea35f5996c18dc19b3fc1b7f57913d156c504592aa5f52343a26d8bc025bc92cac424ff0b9f1f64e8a1fb6f361fa6c97648099cc11f

  • memory/2164-132-0x0000000000000000-mapping.dmp

  • memory/4116-135-0x0000000000000000-mapping.dmp

  • memory/4396-130-0x0000000000000000-mapping.dmp