Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-05-2022 05:26
Static task
static1
Behavioral task
behavioral1
Sample
0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41.exe
Resource
win10v2004-20220414-en
General
-
Target
0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41.exe
-
Size
234KB
-
MD5
28713700cc4cf8795a8766fe420e4696
-
SHA1
d56b0cef59368a5753c43037ca6cc9e4b33b11a7
-
SHA256
0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41
-
SHA512
5b9fe21edecc4d23fee40fe05b4566bf17a341af6c0f63f5f62afbd1b6d71b9ab9bf2e0b34248c9a3e90f117fa0cc19d32cadb70bcb7cbb3324c0e07f8fbbd74
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41.exe -
Modifies file permissions 1 TTPs 5 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1628 icacls.exe 1760 icacls.exe 4892 icacls.exe 4724 icacls.exe 5000 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1208 taskkill.exe 2552 taskkill.exe 2728 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1208 taskkill.exe Token: SeDebugPrivilege 2552 taskkill.exe Token: SeDebugPrivilege 2728 taskkill.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41.execmd.exedescription pid process target process PID 1200 wrote to memory of 3108 1200 0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41.exe cmd.exe PID 1200 wrote to memory of 3108 1200 0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41.exe cmd.exe PID 3108 wrote to memory of 1208 3108 cmd.exe taskkill.exe PID 3108 wrote to memory of 1208 3108 cmd.exe taskkill.exe PID 3108 wrote to memory of 2552 3108 cmd.exe taskkill.exe PID 3108 wrote to memory of 2552 3108 cmd.exe taskkill.exe PID 3108 wrote to memory of 2728 3108 cmd.exe taskkill.exe PID 3108 wrote to memory of 2728 3108 cmd.exe taskkill.exe PID 3108 wrote to memory of 3268 3108 cmd.exe attrib.exe PID 3108 wrote to memory of 3268 3108 cmd.exe attrib.exe PID 3108 wrote to memory of 1628 3108 cmd.exe icacls.exe PID 3108 wrote to memory of 1628 3108 cmd.exe icacls.exe PID 3108 wrote to memory of 1760 3108 cmd.exe icacls.exe PID 3108 wrote to memory of 1760 3108 cmd.exe icacls.exe PID 3108 wrote to memory of 4892 3108 cmd.exe icacls.exe PID 3108 wrote to memory of 4892 3108 cmd.exe icacls.exe PID 3108 wrote to memory of 4724 3108 cmd.exe icacls.exe PID 3108 wrote to memory of 4724 3108 cmd.exe icacls.exe PID 3108 wrote to memory of 5000 3108 cmd.exe icacls.exe PID 3108 wrote to memory of 5000 3108 cmd.exe icacls.exe PID 3108 wrote to memory of 4016 3108 cmd.exe reg.exe PID 3108 wrote to memory of 4016 3108 cmd.exe reg.exe PID 3108 wrote to memory of 3392 3108 cmd.exe reg.exe PID 3108 wrote to memory of 3392 3108 cmd.exe reg.exe PID 3108 wrote to memory of 4920 3108 cmd.exe reg.exe PID 3108 wrote to memory of 4920 3108 cmd.exe reg.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41.exe"C:\Users\Admin\AppData\Local\Temp\0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7062.tmp\7063.tmp\7064.bat C:\Users\Admin\AppData\Local\Temp\0af412e0143612421adb293c6001cbb2c1bb45b7b076b897e582757c0c199e41.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /IM WimSCP.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /IM ATKPrwCtrl.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /IM Aupuf.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib "C:\ProgramData\AMDControlPanelClient" -s -h -r /S /D3⤵
- Views/modifies file attributes
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\AMDControlPanelClient" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\AMDControlPanelClient" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\AMDControlPanelClient" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\AMDControlPanelClient" /inheritance:e /grant "Users:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\AMDControlPanelClient" /inheritance:e /grant "Admin:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exeREG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v AMD GPU Optimization /F3⤵
-
C:\Windows\system32\reg.exeREG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v AMD GPU Optimization /F3⤵
-
C:\Windows\system32\reg.exeREG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v AMD GPU Optimization /F3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7062.tmp\7063.tmp\7064.batFilesize
1KB
MD557933d14dbc025036b72e4c8516a7ce1
SHA1b6403e5d4c55cfc168027a33aeddf04d30f3ba47
SHA256e23229afdf11d0708fa6ebd9c4c28fab1d0a59d3894e51c4c668064de55a1b45
SHA512dcd226f0666fd6566216318b85b505222760355509c962f0dbdc3e5b3c3e10bc57eb44d42ead647a74d08c3043662e180010fd0acb3dc7a4ae32afaf94d80ad3
-
memory/1208-132-0x0000000000000000-mapping.dmp
-
memory/1628-136-0x0000000000000000-mapping.dmp
-
memory/1760-137-0x0000000000000000-mapping.dmp
-
memory/2552-133-0x0000000000000000-mapping.dmp
-
memory/2728-134-0x0000000000000000-mapping.dmp
-
memory/3108-130-0x0000000000000000-mapping.dmp
-
memory/3268-135-0x0000000000000000-mapping.dmp
-
memory/3392-142-0x0000000000000000-mapping.dmp
-
memory/4016-141-0x0000000000000000-mapping.dmp
-
memory/4724-139-0x0000000000000000-mapping.dmp
-
memory/4892-138-0x0000000000000000-mapping.dmp
-
memory/4920-143-0x0000000000000000-mapping.dmp
-
memory/5000-140-0x0000000000000000-mapping.dmp