Analysis
-
max time kernel
99s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-06-2022 15:39
Static task
static1
Behavioral task
behavioral1
Sample
0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe
Resource
win10v2004-20220414-en
General
-
Target
0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe
-
Size
586KB
-
MD5
b26c6f36a8711168dc8d2882a6cab0c2
-
SHA1
e133a7dad21664672df96f0e6c956effe2ac7350
-
SHA256
0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06
-
SHA512
f865d9cd05796cd4dfb69e1a9748b14c9d3ca49d29f5dee1bc8df367dc9f141ac1208a13a986f18963df2b70ff56aa76e7f2b0c7d9e2199ee472e24a24934910
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2092 litegen.exe 3416 litegen.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lite = "C:\\Users\\Admin\\AppData\\Local\\litegen.exe -boot" litegen.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2092 set thread context of 3416 2092 litegen.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4976 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe Token: 33 4976 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe Token: SeIncBasePriorityPrivilege 4976 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe Token: SeDebugPrivilege 2092 litegen.exe Token: 33 2092 litegen.exe Token: SeIncBasePriorityPrivilege 2092 litegen.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4976 wrote to memory of 3028 4976 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe 85 PID 4976 wrote to memory of 3028 4976 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe 85 PID 4976 wrote to memory of 3028 4976 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe 85 PID 4976 wrote to memory of 1376 4976 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe 88 PID 4976 wrote to memory of 1376 4976 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe 88 PID 4976 wrote to memory of 1376 4976 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe 88 PID 1376 wrote to memory of 2092 1376 cmd.exe 90 PID 1376 wrote to memory of 2092 1376 cmd.exe 90 PID 1376 wrote to memory of 2092 1376 cmd.exe 90 PID 2092 wrote to memory of 3416 2092 litegen.exe 91 PID 2092 wrote to memory of 3416 2092 litegen.exe 91 PID 2092 wrote to memory of 3416 2092 litegen.exe 91 PID 2092 wrote to memory of 3416 2092 litegen.exe 91 PID 2092 wrote to memory of 3416 2092 litegen.exe 91 PID 2092 wrote to memory of 3416 2092 litegen.exe 91 PID 2092 wrote to memory of 3416 2092 litegen.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe"C:\Users\Admin\AppData\Local\Temp\0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe" "C:\Users\Admin\AppData\Local\litegen.exe"2⤵PID:3028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\litegen.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\litegen.exe"C:\Users\Admin\AppData\Local\litegen.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\litegen.exe"C:\Users\Admin\AppData\Local\litegen.exe"4⤵
- Executes dropped EXE
PID:3416
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
586KB
MD5b26c6f36a8711168dc8d2882a6cab0c2
SHA1e133a7dad21664672df96f0e6c956effe2ac7350
SHA2560f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06
SHA512f865d9cd05796cd4dfb69e1a9748b14c9d3ca49d29f5dee1bc8df367dc9f141ac1208a13a986f18963df2b70ff56aa76e7f2b0c7d9e2199ee472e24a24934910
-
Filesize
586KB
MD5b26c6f36a8711168dc8d2882a6cab0c2
SHA1e133a7dad21664672df96f0e6c956effe2ac7350
SHA2560f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06
SHA512f865d9cd05796cd4dfb69e1a9748b14c9d3ca49d29f5dee1bc8df367dc9f141ac1208a13a986f18963df2b70ff56aa76e7f2b0c7d9e2199ee472e24a24934910
-
Filesize
586KB
MD5b26c6f36a8711168dc8d2882a6cab0c2
SHA1e133a7dad21664672df96f0e6c956effe2ac7350
SHA2560f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06
SHA512f865d9cd05796cd4dfb69e1a9748b14c9d3ca49d29f5dee1bc8df367dc9f141ac1208a13a986f18963df2b70ff56aa76e7f2b0c7d9e2199ee472e24a24934910