41fb88ffd15b8f18847e6828f64f78d709cb5130af97a5fa96de3bdd3a57d6b7

Analysis

max time kernel
150s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-06-2022 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa720aec88d230bed0716ec12e792ff5.exe
Size

106KB
MD5

aa720aec88d230bed0716ec12e792ff5
SHA1

9c55fbed15ca309a7b26d43b87ca6b2ca21b6875
SHA256

41fb88ffd15b8f18847e6828f64f78d709cb5130af97a5fa96de3bdd3a57d6b7
SHA512

424bb24d107efd746c516be23ebf58740a770d77626a9af3c6e2152d688c4334e88e4b662ad8bc9b2c634adaf83f2f1d59c30a82c2a97fe9ebf2f7e8f7ab9a7d

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aa720aec88d230bed0716ec12e792ff5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	aa720aec88d230bed0716ec12e792ff5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1692 2900 WerFault.exe aa720aec88d230bed0716ec12e792ff5.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

aa720aec88d230bed0716ec12e792ff5.exe

description pid process

Token: SeDebugPrivilege 2900 aa720aec88d230bed0716ec12e792ff5.exe

pid	pid_target	process	target process
1692	2900	WerFault.exe	aa720aec88d230bed0716ec12e792ff5.exe

description	pid	process
Token: SeDebugPrivilege	2900	aa720aec88d230bed0716ec12e792ff5.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

aa720aec88d230bed0716ec12e792ff5.exe

description	pid	process	target process
PID 2900 wrote to memory of 456	2900	aa720aec88d230bed0716ec12e792ff5.exe	cmd.exe
PID 2900 wrote to memory of 456	2900	aa720aec88d230bed0716ec12e792ff5.exe	cmd.exe
PID 2900 wrote to memory of 456	2900	aa720aec88d230bed0716ec12e792ff5.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\aa720aec88d230bed0716ec12e792ff5.exe
"C:\Users\Admin\AppData\Local\Temp\aa720aec88d230bed0716ec12e792ff5.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 1880
2⤵
- Program crash
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2900 -ip 2900
1⤵
PID:2060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/456-131-0x0000000000000000-mapping.dmp

Download
memory/2900-130-0x00000000007B0000-0x00000000007D0000-memory.dmp

Filesize
128KB

Download