Analysis
-
max time kernel
150s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-06-2022 16:00
Static task
static1
Behavioral task
behavioral1
Sample
aa720aec88d230bed0716ec12e792ff5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
aa720aec88d230bed0716ec12e792ff5.exe
Resource
win10v2004-20220414-en
General
-
Target
aa720aec88d230bed0716ec12e792ff5.exe
-
Size
106KB
-
MD5
aa720aec88d230bed0716ec12e792ff5
-
SHA1
9c55fbed15ca309a7b26d43b87ca6b2ca21b6875
-
SHA256
41fb88ffd15b8f18847e6828f64f78d709cb5130af97a5fa96de3bdd3a57d6b7
-
SHA512
424bb24d107efd746c516be23ebf58740a770d77626a9af3c6e2152d688c4334e88e4b662ad8bc9b2c634adaf83f2f1d59c30a82c2a97fe9ebf2f7e8f7ab9a7d
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
aa720aec88d230bed0716ec12e792ff5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation aa720aec88d230bed0716ec12e792ff5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1692 2900 WerFault.exe aa720aec88d230bed0716ec12e792ff5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
aa720aec88d230bed0716ec12e792ff5.exedescription pid process Token: SeDebugPrivilege 2900 aa720aec88d230bed0716ec12e792ff5.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
aa720aec88d230bed0716ec12e792ff5.exedescription pid process target process PID 2900 wrote to memory of 456 2900 aa720aec88d230bed0716ec12e792ff5.exe cmd.exe PID 2900 wrote to memory of 456 2900 aa720aec88d230bed0716ec12e792ff5.exe cmd.exe PID 2900 wrote to memory of 456 2900 aa720aec88d230bed0716ec12e792ff5.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa720aec88d230bed0716ec12e792ff5.exe"C:\Users\Admin\AppData\Local\Temp\aa720aec88d230bed0716ec12e792ff5.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 18802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2900 -ip 29001⤵