Analysis
-
max time kernel
107s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10-06-2022 12:55
Static task
static1
Behavioral task
behavioral1
Sample
69d71cf9af28c732b1cf0f53a141b774.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
69d71cf9af28c732b1cf0f53a141b774.exe
Resource
win10v2004-20220414-en
General
-
Target
69d71cf9af28c732b1cf0f53a141b774.exe
-
Size
105KB
-
MD5
69d71cf9af28c732b1cf0f53a141b774
-
SHA1
67551bc2cd84ddca9426816b7f334e8ab72b7113
-
SHA256
1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0
-
SHA512
b7ade6e68401c04b3b39ce2971252f914dcb8abbf710f12edfbacf6333164f438841b20219790fbfb96a55a8024327b445c63b1051d25d4ec4d976f0e1a7d20e
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
69d71cf9af28c732b1cf0f53a141b774.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 69d71cf9af28c732b1cf0f53a141b774.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 112 4696 WerFault.exe 69d71cf9af28c732b1cf0f53a141b774.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1184 powershell.exe 1184 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exe69d71cf9af28c732b1cf0f53a141b774.exedescription pid process Token: SeDebugPrivilege 1184 powershell.exe Token: SeDebugPrivilege 4696 69d71cf9af28c732b1cf0f53a141b774.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
69d71cf9af28c732b1cf0f53a141b774.exedescription pid process target process PID 4696 wrote to memory of 1184 4696 69d71cf9af28c732b1cf0f53a141b774.exe powershell.exe PID 4696 wrote to memory of 1184 4696 69d71cf9af28c732b1cf0f53a141b774.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69d71cf9af28c732b1cf0f53a141b774.exe"C:\Users\Admin\AppData\Local\Temp\69d71cf9af28c732b1cf0f53a141b774.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4696 -s 18122⤵
- Program crash
PID:112
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 428 -p 4696 -ip 46961⤵PID:1724