Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-06-2022 20:24
Static task
static1
Behavioral task
behavioral1
Sample
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe
Resource
win10v2004-20220414-en
General
-
Target
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe
-
Size
532KB
-
MD5
fc9a12a9bb842acc8879398df0066302
-
SHA1
09391f5dd89078cbff1b554b601a515ea8ce0bf8
-
SHA256
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62
-
SHA512
6f834185ecf024e2feaeaa6a933b09f05ab7099f683323bb1d83e45d4166821c8608a6f9348a38cbe68ab67e1bc806df1c23f9e36a2f3b0ed58ba8ce55248139
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exepid Process 3632 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 1796 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winstartedwinb = "C:\\Users\\Admin\\AppData\\Roaming\\defenderwb\\winlogimam.exe" 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exedescription pid Process procid_target PID 988 set thread context of 428 988 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 89 PID 3632 set thread context of 1796 3632 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exepid Process 1796 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exedescription pid Process Token: SeDebugPrivilege 988 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe Token: SeDebugPrivilege 428 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe Token: SeDebugPrivilege 3632 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe Token: SeDebugPrivilege 1796 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe Token: 33 1796 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe Token: SeIncBasePriorityPrivilege 1796 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exepid Process 1796 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.execmd.exe2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exedescription pid Process procid_target PID 988 wrote to memory of 428 988 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 89 PID 988 wrote to memory of 428 988 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 89 PID 988 wrote to memory of 428 988 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 89 PID 988 wrote to memory of 428 988 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 89 PID 988 wrote to memory of 428 988 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 89 PID 988 wrote to memory of 428 988 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 89 PID 988 wrote to memory of 428 988 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 89 PID 988 wrote to memory of 428 988 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 89 PID 428 wrote to memory of 3632 428 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 90 PID 428 wrote to memory of 3632 428 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 90 PID 428 wrote to memory of 3632 428 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 90 PID 428 wrote to memory of 2404 428 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 91 PID 428 wrote to memory of 2404 428 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 91 PID 428 wrote to memory of 2404 428 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 91 PID 2404 wrote to memory of 3988 2404 cmd.exe 93 PID 2404 wrote to memory of 3988 2404 cmd.exe 93 PID 2404 wrote to memory of 3988 2404 cmd.exe 93 PID 3632 wrote to memory of 1796 3632 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 94 PID 3632 wrote to memory of 1796 3632 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 94 PID 3632 wrote to memory of 1796 3632 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 94 PID 3632 wrote to memory of 1796 3632 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 94 PID 3632 wrote to memory of 1796 3632 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 94 PID 3632 wrote to memory of 1796 3632 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 94 PID 3632 wrote to memory of 1796 3632 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 94 PID 3632 wrote to memory of 1796 3632 2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10004⤵
- Runs ping.exe
PID:3988
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe.log
Filesize706B
MD52ef5ef69dadb8865b3d5b58c956077b8
SHA1af2d869bac00685c745652bbd8b3fe82829a8998
SHA256363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3
SHA51266d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3
-
C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe
Filesize532KB
MD5fc9a12a9bb842acc8879398df0066302
SHA109391f5dd89078cbff1b554b601a515ea8ce0bf8
SHA2562d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62
SHA5126f834185ecf024e2feaeaa6a933b09f05ab7099f683323bb1d83e45d4166821c8608a6f9348a38cbe68ab67e1bc806df1c23f9e36a2f3b0ed58ba8ce55248139
-
C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe
Filesize532KB
MD5fc9a12a9bb842acc8879398df0066302
SHA109391f5dd89078cbff1b554b601a515ea8ce0bf8
SHA2562d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62
SHA5126f834185ecf024e2feaeaa6a933b09f05ab7099f683323bb1d83e45d4166821c8608a6f9348a38cbe68ab67e1bc806df1c23f9e36a2f3b0ed58ba8ce55248139
-
C:\Users\Admin\AppData\Local\Temp\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62\2d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62.exe
Filesize532KB
MD5fc9a12a9bb842acc8879398df0066302
SHA109391f5dd89078cbff1b554b601a515ea8ce0bf8
SHA2562d256d6337bdd156fb7822057f57fad62f5fbed26f052954b44373e64b75df62
SHA5126f834185ecf024e2feaeaa6a933b09f05ab7099f683323bb1d83e45d4166821c8608a6f9348a38cbe68ab67e1bc806df1c23f9e36a2f3b0ed58ba8ce55248139