Analysis
-
max time kernel
134s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-06-2022 04:26
General
-
Target
1a13578cce30300c8468be6adaf29fba9282e3267555a26876bedbb4695bd6f7.exe
-
Size
1.2MB
-
MD5
2475fda58a0ac4c571deb76001a6d81d
-
SHA1
f1a74f6500a64bcc2ae2a5c15d59bd96f43dd115
-
SHA256
1a13578cce30300c8468be6adaf29fba9282e3267555a26876bedbb4695bd6f7
-
SHA512
65e9e5d482ed5d4d68284756639265a7802f455238f9e750175ba43b5f9ba404122cc840c10da94c9416a6c4bd2ecb1da8722ba456a6bca5365bd4d9c659f940
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a13578cce30300c8468be6adaf29fba9282e3267555a26876bedbb4695bd6f7.exe"C:\Users\Admin\AppData\Local\Temp\1a13578cce30300c8468be6adaf29fba9282e3267555a26876bedbb4695bd6f7.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\MATERIAL DRAWING.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\MATERIAL DRAWING.exeFilesize
1.2MB
MD52475fda58a0ac4c571deb76001a6d81d
SHA1f1a74f6500a64bcc2ae2a5c15d59bd96f43dd115
SHA2561a13578cce30300c8468be6adaf29fba9282e3267555a26876bedbb4695bd6f7
SHA51265e9e5d482ed5d4d68284756639265a7802f455238f9e750175ba43b5f9ba404122cc840c10da94c9416a6c4bd2ecb1da8722ba456a6bca5365bd4d9c659f940
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
memory/1528-130-0x00000000747B0000-0x0000000074D61000-memory.dmpFilesize
5.7MB
-
memory/1528-131-0x00000000747B0000-0x0000000074D61000-memory.dmpFilesize
5.7MB
-
memory/1528-140-0x00000000747B0000-0x0000000074D61000-memory.dmpFilesize
5.7MB
-
memory/1764-132-0x0000000000000000-mapping.dmp
-
memory/1936-133-0x0000000000000000-mapping.dmp
-
memory/2916-135-0x0000000000000000-mapping.dmp
-
memory/2916-139-0x00000000747B0000-0x0000000074D61000-memory.dmpFilesize
5.7MB
-
memory/2916-141-0x00000000747B0000-0x0000000074D61000-memory.dmpFilesize
5.7MB
-
memory/2916-142-0x00000000747B0000-0x0000000074D61000-memory.dmpFilesize
5.7MB