Analysis
-
max time kernel
187s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-06-2022 16:50
Static task
static1
Behavioral task
behavioral1
Sample
3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe
Resource
win7-20220414-en
General
-
Target
3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe
-
Size
399KB
-
MD5
9feaf964c8cf229116b3439a7520bbed
-
SHA1
0a606159afef156db4df1f6a2b79d933379b5198
-
SHA256
3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347
-
SHA512
7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
tmp.exesvhost.exepid Process 3932 tmp.exe 2992 svhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exedescription ioc Process File created C:\Windows\assembly\Desktop.ini 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe File opened for modification C:\Windows\assembly\Desktop.ini 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exedescription pid Process procid_target PID 2968 set thread context of 2992 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 82 -
Drops file in Windows directory 3 IoCs
Processes:
3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exedescription ioc Process File opened for modification C:\Windows\assembly 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe File created C:\Windows\assembly\Desktop.ini 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe File opened for modification C:\Windows\assembly\Desktop.ini 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 4456 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc Process File created C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exepid Process 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
tmp.exepid Process 3932 tmp.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exedw20.exetmp.exedescription pid Process Token: SeDebugPrivilege 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe Token: 33 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe Token: SeIncBasePriorityPrivilege 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe Token: SeRestorePrivilege 1756 dw20.exe Token: SeBackupPrivilege 1756 dw20.exe Token: SeBackupPrivilege 1756 dw20.exe Token: SeBackupPrivilege 1756 dw20.exe Token: SeDebugPrivilege 3932 tmp.exe Token: 33 3932 tmp.exe Token: SeIncBasePriorityPrivilege 3932 tmp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
tmp.exepid Process 3932 tmp.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.execmd.exesvhost.execmd.exedescription pid Process procid_target PID 2968 wrote to memory of 3832 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 78 PID 2968 wrote to memory of 3832 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 78 PID 2968 wrote to memory of 3832 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 78 PID 3832 wrote to memory of 4716 3832 cmd.exe 80 PID 3832 wrote to memory of 4716 3832 cmd.exe 80 PID 3832 wrote to memory of 4716 3832 cmd.exe 80 PID 2968 wrote to memory of 3932 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 81 PID 2968 wrote to memory of 3932 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 81 PID 2968 wrote to memory of 3932 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 81 PID 2968 wrote to memory of 2992 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 82 PID 2968 wrote to memory of 2992 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 82 PID 2968 wrote to memory of 2992 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 82 PID 2968 wrote to memory of 2992 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 82 PID 2968 wrote to memory of 2992 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 82 PID 2968 wrote to memory of 2992 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 82 PID 2968 wrote to memory of 2992 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 82 PID 2968 wrote to memory of 2992 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 82 PID 2968 wrote to memory of 3036 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 84 PID 2968 wrote to memory of 3036 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 84 PID 2968 wrote to memory of 3036 2968 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe 84 PID 2992 wrote to memory of 1756 2992 svhost.exe 83 PID 2992 wrote to memory of 1756 2992 svhost.exe 83 PID 2992 wrote to memory of 1756 2992 svhost.exe 83 PID 3036 wrote to memory of 4456 3036 cmd.exe 87 PID 3036 wrote to memory of 4456 3036 cmd.exe 87 PID 3036 wrote to memory of 4456 3036 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe"C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.lnk" /f3⤵PID:4716
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8043⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\timeout.exetimeout /t 1203⤵
- Delays execution with timeout.exe
PID:4456
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
193B
MD53b6a56f303d5dd98b42084fac3feb0d1
SHA1a8bdb37904ef6aa59608088f19ba98d38f494117
SHA256ef83e0a4dfad7ba70badd2153861ba96bba3a09bcd26195c5534952ffda2e696
SHA51266070b7139213da25bcf0945622802dad37a3eface1745c617bbbc6b3aca2b88d7ad8eb4b8ac20647805773f5fd9f71d4d49c2dc56566ed5a1e1d7e708d62c3c
-
Filesize
399KB
MD59feaf964c8cf229116b3439a7520bbed
SHA10a606159afef156db4df1f6a2b79d933379b5198
SHA2563208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347
SHA5127111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02
-
Filesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
Filesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
Filesize
323KB
MD556a28a67e708d9f099528457384f456d
SHA1a625be6fba78381e79da9912bbefce21e05031dd
SHA256a7985fafa6b874057289e59eb8aff0633b10dc9c704a251efb605dadf7a5431d
SHA5121c5a3e9efbd40a454d35dd1bb36db68e74290826f20c657dc705b4eb26b3f3c01520c67bc4233e0e1ddea991ad685ed77fd87e3683b41aa1b2a670a6b729e261
-
Filesize
323KB
MD556a28a67e708d9f099528457384f456d
SHA1a625be6fba78381e79da9912bbefce21e05031dd
SHA256a7985fafa6b874057289e59eb8aff0633b10dc9c704a251efb605dadf7a5431d
SHA5121c5a3e9efbd40a454d35dd1bb36db68e74290826f20c657dc705b4eb26b3f3c01520c67bc4233e0e1ddea991ad685ed77fd87e3683b41aa1b2a670a6b729e261