Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 06:15
Static task
static1
Behavioral task
behavioral1
Sample
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe
Resource
win7-20220414-en
General
-
Target
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe
-
Size
320KB
-
MD5
ab30a9e2d9d13fddd81c62c1e7c32b70
-
SHA1
7b580bfabef1a13e88c36333603aaef09ca07a59
-
SHA256
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f
-
SHA512
156511283fd4bfee1ad596640be80e39fe0708c193cd6343aa90da874e57fb915a26b38e03d2fe5c51cb1c822e1c95ee4374f7089419a1891d8cd4ec7f884262
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exepid Process 4340 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exedescription ioc Process File created C:\Windows\assembly\Desktop.ini 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe File opened for modification C:\Windows\assembly\Desktop.ini 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe -
Drops file in Windows directory 3 IoCs
Processes:
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exedescription ioc Process File opened for modification C:\Windows\assembly 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe File created C:\Windows\assembly\Desktop.ini 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe File opened for modification C:\Windows\assembly\Desktop.ini 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exepid Process 4340 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exedescription pid Process Token: SeDebugPrivilege 3836 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe Token: SeDebugPrivilege 4340 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe Token: 33 4340 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe Token: SeIncBasePriorityPrivilege 4340 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exepid Process 4340 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.execmd.exedescription pid Process procid_target PID 3836 wrote to memory of 4340 3836 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe 87 PID 3836 wrote to memory of 4340 3836 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe 87 PID 3836 wrote to memory of 4340 3836 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe 87 PID 3836 wrote to memory of 1536 3836 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe 88 PID 3836 wrote to memory of 1536 3836 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe 88 PID 3836 wrote to memory of 1536 3836 270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe 88 PID 1536 wrote to memory of 4516 1536 cmd.exe 90 PID 1536 wrote to memory of 4516 1536 cmd.exe 90 PID 1536 wrote to memory of 4516 1536 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe"C:\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe"C:\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4340
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:4516
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe
Filesize320KB
MD5ab30a9e2d9d13fddd81c62c1e7c32b70
SHA17b580bfabef1a13e88c36333603aaef09ca07a59
SHA256270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f
SHA512156511283fd4bfee1ad596640be80e39fe0708c193cd6343aa90da874e57fb915a26b38e03d2fe5c51cb1c822e1c95ee4374f7089419a1891d8cd4ec7f884262
-
C:\Users\Admin\AppData\Local\Temp\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f\270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f.exe
Filesize320KB
MD5ab30a9e2d9d13fddd81c62c1e7c32b70
SHA17b580bfabef1a13e88c36333603aaef09ca07a59
SHA256270a4f3480b3291f67db0bf13a4187eb4adabd38ace0d002ac7478bb7ab0b08f
SHA512156511283fd4bfee1ad596640be80e39fe0708c193cd6343aa90da874e57fb915a26b38e03d2fe5c51cb1c822e1c95ee4374f7089419a1891d8cd4ec7f884262