Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 00:05
Static task
static1
Behavioral task
behavioral1
Sample
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe
Resource
win7-20220414-en
General
-
Target
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe
-
Size
320KB
-
MD5
b20733f2f81130783a51243733009222
-
SHA1
fc7055cb65b424bcb39e16c12a32e0fd4ded11d0
-
SHA256
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c
-
SHA512
702be5ed69bfb3129ba77571d3904afc0d8663887d6b3f848c4c6fdd40ced8416c9b7f8cdddd9a2b916f2bd969291e7b48dfd1c398d189ef9f6b810fa188141c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exepid Process 3552 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exedescription ioc Process File opened for modification C:\Windows\assembly\Desktop.ini 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe File created C:\Windows\assembly\Desktop.ini 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe -
Drops file in Windows directory 3 IoCs
Processes:
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exedescription ioc Process File opened for modification C:\Windows\assembly 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe File created C:\Windows\assembly\Desktop.ini 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe File opened for modification C:\Windows\assembly\Desktop.ini 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exepid Process 3552 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exedescription pid Process Token: SeDebugPrivilege 4840 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe Token: SeDebugPrivilege 3552 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe Token: 33 3552 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe Token: SeIncBasePriorityPrivilege 3552 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exepid Process 3552 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.execmd.exedescription pid Process procid_target PID 4840 wrote to memory of 3552 4840 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe 79 PID 4840 wrote to memory of 3552 4840 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe 79 PID 4840 wrote to memory of 3552 4840 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe 79 PID 4840 wrote to memory of 4736 4840 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe 80 PID 4840 wrote to memory of 4736 4840 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe 80 PID 4840 wrote to memory of 4736 4840 31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe 80 PID 4736 wrote to memory of 4652 4736 cmd.exe 82 PID 4736 wrote to memory of 4652 4736 cmd.exe 82 PID 4736 wrote to memory of 4652 4736 cmd.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe"C:\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe"C:\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3552
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:4652
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe
Filesize320KB
MD5b20733f2f81130783a51243733009222
SHA1fc7055cb65b424bcb39e16c12a32e0fd4ded11d0
SHA25631309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c
SHA512702be5ed69bfb3129ba77571d3904afc0d8663887d6b3f848c4c6fdd40ced8416c9b7f8cdddd9a2b916f2bd969291e7b48dfd1c398d189ef9f6b810fa188141c
-
C:\Users\Admin\AppData\Local\Temp\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c\31309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c.exe
Filesize320KB
MD5b20733f2f81130783a51243733009222
SHA1fc7055cb65b424bcb39e16c12a32e0fd4ded11d0
SHA25631309795039d0d243dcf52abe91308a6ef0d714cf700ee1db5b00a7cf083229c
SHA512702be5ed69bfb3129ba77571d3904afc0d8663887d6b3f848c4c6fdd40ced8416c9b7f8cdddd9a2b916f2bd969291e7b48dfd1c398d189ef9f6b810fa188141c