Analysis
-
max time kernel
153s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-06-2022 13:22
Static task
static1
Behavioral task
behavioral1
Sample
10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe
Resource
win10v2004-20220414-en
General
-
Target
10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe
-
Size
216KB
-
MD5
8505936955f4b5fd5b6844f914abd3ad
-
SHA1
6cb392462d5f5a84ebdec75f4c3630ecf8b71b6e
-
SHA256
10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a
-
SHA512
f06a690b9f638a79410db6d5a08b444f16da3515d2b6cbbd78e826ed38136a4a4a242359909970464f5c928b0773b341cc8917aabf788d9b34065e0a8614fa4f
Malware Config
Extracted
tofsee
103.232.222.57
111.121.193.242
123.249.0.22
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
putwnbfg.exepid process 4224 putwnbfg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\putwnbfg.exe\"" 10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
putwnbfg.exedescription pid process target process PID 4224 set thread context of 3212 4224 putwnbfg.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4556 3212 WerFault.exe svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exeputwnbfg.exepid process 3944 10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe 4224 putwnbfg.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exeputwnbfg.exedescription pid process target process PID 3944 wrote to memory of 4224 3944 10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe putwnbfg.exe PID 3944 wrote to memory of 4224 3944 10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe putwnbfg.exe PID 3944 wrote to memory of 4224 3944 10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe putwnbfg.exe PID 3944 wrote to memory of 4100 3944 10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe cmd.exe PID 3944 wrote to memory of 4100 3944 10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe cmd.exe PID 3944 wrote to memory of 4100 3944 10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe cmd.exe PID 4224 wrote to memory of 3212 4224 putwnbfg.exe svchost.exe PID 4224 wrote to memory of 3212 4224 putwnbfg.exe svchost.exe PID 4224 wrote to memory of 3212 4224 putwnbfg.exe svchost.exe PID 4224 wrote to memory of 3212 4224 putwnbfg.exe svchost.exe PID 4224 wrote to memory of 3212 4224 putwnbfg.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe"C:\Users\Admin\AppData\Local\Temp\10230ffb08bcad488b7b316a9eb55a556ce66f468c1ad40b739432c159a8d30a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\putwnbfg.exe"C:\Users\Admin\putwnbfg.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 4684⤵
- Program crash
PID:4556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6767.bat" "2⤵PID:4100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3212 -ip 32121⤵PID:4768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6767.batFilesize
302B
MD50f30c7524e0ecf8fe27bde26b4440556
SHA1367d9ce10592631d2b6829df63742a9d22770de8
SHA2562d0974509afe422e5ef20bc3c9822e89bcf591b6f5e14ebc5d7790f2a177d218
SHA512857bdb4ca3ae0391ff21b1c566704f4fe5e6e73150e88b80735decf17bc7ef2c24f7963b945927aedd2bd8bad41383a0cc5fda19a55c0e0516fa50473e35a7a9
-
C:\Users\Admin\putwnbfg.exeFilesize
48.6MB
MD5f54da7330529608b15d5c2e14f28d793
SHA1736b0c6e5fc3f4adbfbf392a8030fd22c24d4881
SHA2569634bd6660a0c85a23ec79ee94332eb37cb218cef1bf4dc44ee4d6c5bbbf7fd9
SHA512d704f0947a5057e41387b0d4ba637ef29fec2ae44c0b2e51a2128609e78356b58668d1f6a7cad9a2b007ef510ad235af7c0dc7d5631e9525f37ffc9d4a673c0c
-
C:\Users\Admin\putwnbfg.exeFilesize
48.6MB
MD5f54da7330529608b15d5c2e14f28d793
SHA1736b0c6e5fc3f4adbfbf392a8030fd22c24d4881
SHA2569634bd6660a0c85a23ec79ee94332eb37cb218cef1bf4dc44ee4d6c5bbbf7fd9
SHA512d704f0947a5057e41387b0d4ba637ef29fec2ae44c0b2e51a2128609e78356b58668d1f6a7cad9a2b007ef510ad235af7c0dc7d5631e9525f37ffc9d4a673c0c
-
memory/3212-159-0x00000000008E0000-0x00000000008F2000-memory.dmpFilesize
72KB
-
memory/3212-157-0x00000000008E0000-0x00000000008F2000-memory.dmpFilesize
72KB
-
memory/3212-153-0x0000000000000000-mapping.dmp
-
memory/3212-154-0x00000000008E0000-0x00000000008F2000-memory.dmpFilesize
72KB
-
memory/3212-158-0x00000000008E0000-0x00000000008F2000-memory.dmpFilesize
72KB
-
memory/3944-138-0x00000000752E0000-0x000000007543D000-memory.dmpFilesize
1.4MB
-
memory/3944-145-0x00000000752E0000-0x000000007543D000-memory.dmpFilesize
1.4MB
-
memory/3944-132-0x0000000002E51000-0x0000000002E56000-memory.dmpFilesize
20KB
-
memory/3944-134-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4100-144-0x0000000000000000-mapping.dmp
-
memory/4224-146-0x0000000002CA1000-0x0000000002CA6000-memory.dmpFilesize
20KB
-
memory/4224-155-0x00000000752E0000-0x000000007543D000-memory.dmpFilesize
1.4MB
-
memory/4224-139-0x0000000000000000-mapping.dmp