Analysis
-
max time kernel
160s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 09:33
Static task
static1
Behavioral task
behavioral1
Sample
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe
Resource
win10v2004-20220414-en
General
-
Target
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe
-
Size
615KB
-
MD5
d9eea652e097a3f9f950fc6998682ad0
-
SHA1
773a2461085609843b85a605a80cc2fc9a79d5de
-
SHA256
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af
-
SHA512
19dae35b5136ead7009957b678db5e2659b3ae6ef353471ff1379791add8f8a39797ab4b361efecb4d0537bf8eb11a3da7595c1ed10bd54868c62b89698ea000
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
index.exeindex.exepid process 3644 index.exe 4832 index.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\index = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\index.exe -boot" 26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
index.exedescription pid process target process PID 3644 set thread context of 4832 3644 index.exe index.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exeindex.exedescription pid process Token: SeDebugPrivilege 4472 26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe Token: SeDebugPrivilege 3644 index.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exeindex.exedescription pid process target process PID 4472 wrote to memory of 3644 4472 26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe index.exe PID 4472 wrote to memory of 3644 4472 26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe index.exe PID 4472 wrote to memory of 3644 4472 26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe index.exe PID 3644 wrote to memory of 4832 3644 index.exe index.exe PID 3644 wrote to memory of 4832 3644 index.exe index.exe PID 3644 wrote to memory of 4832 3644 index.exe index.exe PID 3644 wrote to memory of 4832 3644 index.exe index.exe PID 3644 wrote to memory of 4832 3644 index.exe index.exe PID 3644 wrote to memory of 4832 3644 index.exe index.exe PID 3644 wrote to memory of 4832 3644 index.exe index.exe PID 3644 wrote to memory of 4832 3644 index.exe index.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe"C:\Users\Admin\AppData\Local\Temp\26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exeFilesize
615KB
MD5d9eea652e097a3f9f950fc6998682ad0
SHA1773a2461085609843b85a605a80cc2fc9a79d5de
SHA25626212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af
SHA51219dae35b5136ead7009957b678db5e2659b3ae6ef353471ff1379791add8f8a39797ab4b361efecb4d0537bf8eb11a3da7595c1ed10bd54868c62b89698ea000
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exeFilesize
615KB
MD5d9eea652e097a3f9f950fc6998682ad0
SHA1773a2461085609843b85a605a80cc2fc9a79d5de
SHA25626212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af
SHA51219dae35b5136ead7009957b678db5e2659b3ae6ef353471ff1379791add8f8a39797ab4b361efecb4d0537bf8eb11a3da7595c1ed10bd54868c62b89698ea000
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exeFilesize
615KB
MD5d9eea652e097a3f9f950fc6998682ad0
SHA1773a2461085609843b85a605a80cc2fc9a79d5de
SHA25626212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af
SHA51219dae35b5136ead7009957b678db5e2659b3ae6ef353471ff1379791add8f8a39797ab4b361efecb4d0537bf8eb11a3da7595c1ed10bd54868c62b89698ea000
-
memory/3644-131-0x0000000000000000-mapping.dmp
-
memory/3644-135-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/3644-137-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/3644-141-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/4472-130-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/4472-134-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/4832-136-0x0000000000000000-mapping.dmp
-
memory/4832-140-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/4832-142-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB