Analysis
-
max time kernel
163s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 17:34
Static task
static1
Behavioral task
behavioral1
Sample
3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe
Resource
win7-20220414-en
General
-
Target
3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe
-
Size
861KB
-
MD5
4b95fa4786f5830cb7f0027f9d15adef
-
SHA1
feca329eaf6fabae376a15cf6908c2171fb86393
-
SHA256
3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b
-
SHA512
a712857ea1a0db3267644c07395662fe39ca0e519ca402e9c63dc1fa28c36f59b994700908cb3ea7d63437d7cc25bd0a8bfeffbb13364397eb570e94e4217a5a
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
installutil.exedescription ioc Process File created C:\Windows\assembly\Desktop.ini installutil.exe File opened for modification C:\Windows\assembly\Desktop.ini installutil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
installutil.exedescription pid Process procid_target PID 392 set thread context of 3544 392 installutil.exe 93 -
Drops file in Windows directory 3 IoCs
Processes:
installutil.exedescription ioc Process File opened for modification C:\Windows\assembly installutil.exe File created C:\Windows\assembly\Desktop.ini installutil.exe File opened for modification C:\Windows\assembly\Desktop.ini installutil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
installutil.exepid Process 392 installutil.exe 392 installutil.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
installutil.exeinstallutil.exedescription pid Process Token: SeDebugPrivilege 392 installutil.exe Token: SeDebugPrivilege 3544 installutil.exe Token: 33 3544 installutil.exe Token: SeIncBasePriorityPrivilege 3544 installutil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
installutil.exepid Process 3544 installutil.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exeinstallutil.exedescription pid Process procid_target PID 1296 wrote to memory of 392 1296 3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe 84 PID 1296 wrote to memory of 392 1296 3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe 84 PID 1296 wrote to memory of 392 1296 3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe 84 PID 392 wrote to memory of 2532 392 installutil.exe 89 PID 392 wrote to memory of 2532 392 installutil.exe 89 PID 392 wrote to memory of 2532 392 installutil.exe 89 PID 392 wrote to memory of 3544 392 installutil.exe 93 PID 392 wrote to memory of 3544 392 installutil.exe 93 PID 392 wrote to memory of 3544 392 installutil.exe 93 PID 392 wrote to memory of 3544 392 installutil.exe 93 PID 392 wrote to memory of 3544 392 installutil.exe 93 PID 392 wrote to memory of 3544 392 installutil.exe 93 PID 392 wrote to memory of 3544 392 installutil.exe 93 PID 392 wrote to memory of 3544 392 installutil.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzXipsZcwgn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp87CD.tmp"3⤵
- Creates scheduled task(s)
PID:2532
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"3⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3544
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
810B
MD57a4a84f4d2df1fe011638038702dad89
SHA164e9856d95b2064ff51e1c77819c818e6e5b3291
SHA256cfd5734d90e6889355768ae5a723076000d88af2e5b6b435d55fa5bfa3e29590
SHA512cbe9f7724806d161e70a161525c89199e10e6f38ad425533defaa1e02a12bf2cf28cba6788ed68e446cbd4286541e341b55c40133c134f9fcf94cae79b34092d
-
Filesize
1KB
MD5fd6326c611061193c278fbdb5f9efa80
SHA1818c2e7be48d422683b7795e8f1c9b6d6b2ee591
SHA2563b8c26207c73de67d4d7f2b39618ec6fc02be9750290f5d581db08d276b05d2f
SHA5120f11e1c883215fdd28e049a538df40c34dd258f12175553b12251dd05f44c0411cd91eb0d88d3572ace805fe12cc40ca4aa57ac371ac716326e233b67f7ab8a6