Overview

overview

7

Static

static

21ddbef7a8...7a.exe

windows7_x64

7

21ddbef7a8...7a.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    100s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-06-2022 07:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21ddbef7a8d998786b0b7acf5677fecf35bd7cc00b973850b6709671c3fff37a.exe

  • Size

    235KB

  • MD5

    4b53491b53623cc0a8616eaedea6f81c

  • SHA1

    db2ea45c85e25dedf3e4a332b3bcd2b94e12ac3f

  • SHA256

    21ddbef7a8d998786b0b7acf5677fecf35bd7cc00b973850b6709671c3fff37a

  • SHA512

    01a2de0218babfa5a280fcd77a6a1ad681b124b2836b113cb161255b94ce13060b11412a26052b2cfda002b62e20c4d64fc76aa48941b9eb763d54ee0b1e109d

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 15 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 8 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\21ddbef7a8d998786b0b7acf5677fecf35bd7cc00b973850b6709671c3fff37a.exe
    "C:\Users\Admin\AppData\Local\Temp\21ddbef7a8d998786b0b7acf5677fecf35bd7cc00b973850b6709671c3fff37a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\80FC.tmp\80FD.tmp\80FE.bat C:\Users\Admin\AppData\Local\Temp\21ddbef7a8d998786b0b7acf5677fecf35bd7cc00b973850b6709671c3fff37a.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3312
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM IntelConfigService.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4220
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM msexec.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3176
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM cftmon.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:448
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM ntosknl.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:552
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM sqlserver.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:760
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM xCoreManagment.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4304
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM ApplicationsFrameHost.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4320
      • C:\Windows\system32\taskkill.exe
        taskkill /f /IM Wrap.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2876
      • C:\Windows\system32\attrib.exe
        attrib "C:\ProgramData\MicrosoftUpdateManager" -s -h -r /S /D
        3⤵
        • Views/modifies file attributes
        PID:4208
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\MicrosoftUpdateManager" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:864
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\MicrosoftUpdateManager" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:996
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\MicrosoftUpdateManager" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2324
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\MicrosoftUpdateManager" /inheritance:e /grant "Users:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1680
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\MicrosoftUpdateManager" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2668
      • C:\Windows\system32\attrib.exe
        attrib "C:\ProgramData\WindowsBackup" -s -h -r /S /D
        3⤵
        • Views/modifies file attributes
        PID:2256
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\WindowsBackup" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2404
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\WindowsBackup" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3404
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\WindowsBackup" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3288
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\WindowsBackup" /inheritance:e /grant "Users:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:908
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\WindowsBackup" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3596
      • C:\Windows\system32\attrib.exe
        attrib "C:\ProgramData\IntelCore" -s -h -r /S /D
        3⤵
        • Views/modifies file attributes
        PID:1256
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\IntelCore" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1364
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\IntelCore" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4820
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\IntelCore" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4776
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\IntelCore" /inheritance:e /grant "Users:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1912
      • C:\Windows\system32\icacls.exe
        icacls "C:\ProgramData\IntelCore" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1048
      • C:\Windows\system32\reg.exe
        REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v Windows Update Manager /F
        3⤵
          PID:4340
        • C:\Windows\system32\reg.exe
          REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Update Manager /F
          3⤵
            PID:4940
          • C:\Windows\system32\reg.exe
            REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Update Manager /F
            3⤵
              PID:2120
            • C:\Windows\system32\reg.exe
              REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v System /F
              3⤵
                PID:2820
              • C:\Windows\system32\reg.exe
                REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v System /F
                3⤵
                  PID:2160
                • C:\Windows\system32\reg.exe
                  REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v System /F
                  3⤵
                    PID:4624
                  • C:\Windows\system32\reg.exe
                    REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v Windows Start-Up Application /F
                    3⤵
                      PID:3240
                    • C:\Windows\system32\reg.exe
                      REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Start-Up Application /F
                      3⤵
                        PID:4548
                      • C:\Windows\system32\reg.exe
                        REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Start-Up Application /F
                        3⤵
                          PID:4504

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Hidden Files and Directories

                    1
                    T1158

                    Privilege Escalation

                    Defense Evasion

                    File Permissions Modification

                    1
                    T1222

                    Hidden Files and Directories

                    1
                    T1158

                    Credential Access

                    Discovery

                    Query Registry

                    1
                    T1012

                    System Information Discovery

                    2
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\80FC.tmp\80FD.tmp\80FE.bat
                      Filesize

                      2KB

                      MD5

                      b8c26dc9560c1406c0738ca755dc3caf

                      SHA1

                      05993ce61ba127b1bc72006d826561974c1046bb

                      SHA256

                      1e7fe4fd0c12a3e4577634b1dc2fc75c7579cd23d6eab9f5f22f18c6eb22514a

                      SHA512

                      e59cce1ca34b363586a4cd778fc0121b19d29af270285b813f219f0582f71f14e13a8aab3f130703664cdc9a2ed962e394684f81e3cd865a307726996091998a

                      Download Submit
                    • memory/448-134-0x0000000000000000-mapping.dmp
                      Download
                    • memory/552-135-0x0000000000000000-mapping.dmp
                      Download
                    • memory/760-136-0x0000000000000000-mapping.dmp
                      Download
                    • memory/864-141-0x0000000000000000-mapping.dmp
                      Download
                    • memory/908-150-0x0000000000000000-mapping.dmp
                      Download
                    • memory/996-142-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1048-157-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1256-152-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1364-153-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1680-144-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1912-156-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2120-160-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2160-162-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2256-146-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2324-143-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2404-147-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2668-145-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2820-161-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2876-139-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3176-133-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3240-164-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3288-149-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3312-130-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3404-148-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3596-151-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4208-140-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4220-132-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4304-137-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4320-138-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4340-158-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4504-166-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4548-165-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4624-163-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4776-155-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4820-154-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4940-159-0x0000000000000000-mapping.dmp
                      Download