Analysis
-
max time kernel
91s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10-06-2022 11:17
Static task
static1
Behavioral task
behavioral1
Sample
1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe
Resource
win10v2004-20220414-en
General
-
Target
1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe
-
Size
105KB
-
MD5
69d71cf9af28c732b1cf0f53a141b774
-
SHA1
67551bc2cd84ddca9426816b7f334e8ab72b7113
-
SHA256
1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0
-
SHA512
b7ade6e68401c04b3b39ce2971252f914dcb8abbf710f12edfbacf6333164f438841b20219790fbfb96a55a8024327b445c63b1051d25d4ec4d976f0e1a7d20e
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 ipinfo.io -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exedescription pid process target process PID 4668 set thread context of 4716 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exe1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exepid process 2712 powershell.exe 2712 powershell.exe 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exe1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exedescription pid process Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exedescription pid process target process PID 4668 wrote to memory of 2712 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe powershell.exe PID 4668 wrote to memory of 2712 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe powershell.exe PID 4668 wrote to memory of 4716 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe MSBuild.exe PID 4668 wrote to memory of 4716 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe MSBuild.exe PID 4668 wrote to memory of 4716 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe MSBuild.exe PID 4668 wrote to memory of 4716 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe MSBuild.exe PID 4668 wrote to memory of 4716 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe MSBuild.exe PID 4668 wrote to memory of 4716 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe MSBuild.exe PID 4668 wrote to memory of 4716 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe MSBuild.exe PID 4668 wrote to memory of 4716 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe MSBuild.exe PID 4668 wrote to memory of 4716 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe MSBuild.exe PID 4668 wrote to memory of 4716 4668 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe"C:\Users\Admin\AppData\Local\Temp\1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵PID:4716