Analysis
-
max time kernel
154s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 01:47
Static task
static1
Behavioral task
behavioral1
Sample
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe
Resource
win10v2004-20220414-en
General
-
Target
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe
-
Size
1.1MB
-
MD5
6d2b7843f0e9168704d4c71108cfdc50
-
SHA1
3fb8ed1bc9eb790af15c1f18486ac5461a44ed71
-
SHA256
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e
-
SHA512
56622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Data.exepid process 4964 Data.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe -
Drops startup file 2 IoCs
Processes:
Data.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\890f73d3282170b26075ca7917951b6e.exe Data.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\890f73d3282170b26075ca7917951b6e.exe Data.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Data.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\890f73d3282170b26075ca7917951b6e = "\"C:\\Users\\Admin\\AppData\\Roaming\\Data.exe\" .." Data.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\890f73d3282170b26075ca7917951b6e = "\"C:\\Users\\Admin\\AppData\\Roaming\\Data.exe\" .." Data.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exeData.exepid process 4776 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe 4776 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe 4776 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe 4776 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe 4964 Data.exe 4964 Data.exe 4964 Data.exe 4964 Data.exe 4964 Data.exe 4964 Data.exe 4964 Data.exe 4964 Data.exe 4964 Data.exe 4964 Data.exe 4964 Data.exe 4964 Data.exe 4964 Data.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
Data.exedescription pid process Token: SeDebugPrivilege 4964 Data.exe Token: 33 4964 Data.exe Token: SeIncBasePriorityPrivilege 4964 Data.exe Token: 33 4964 Data.exe Token: SeIncBasePriorityPrivilege 4964 Data.exe Token: 33 4964 Data.exe Token: SeIncBasePriorityPrivilege 4964 Data.exe Token: 33 4964 Data.exe Token: SeIncBasePriorityPrivilege 4964 Data.exe Token: 33 4964 Data.exe Token: SeIncBasePriorityPrivilege 4964 Data.exe Token: 33 4964 Data.exe Token: SeIncBasePriorityPrivilege 4964 Data.exe Token: 33 4964 Data.exe Token: SeIncBasePriorityPrivilege 4964 Data.exe Token: 33 4964 Data.exe Token: SeIncBasePriorityPrivilege 4964 Data.exe Token: 33 4964 Data.exe Token: SeIncBasePriorityPrivilege 4964 Data.exe Token: 33 4964 Data.exe Token: SeIncBasePriorityPrivilege 4964 Data.exe Token: 33 4964 Data.exe Token: SeIncBasePriorityPrivilege 4964 Data.exe Token: 33 4964 Data.exe Token: SeIncBasePriorityPrivilege 4964 Data.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exeData.exepid process 4776 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe 4964 Data.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exeData.exedescription pid process target process PID 4776 wrote to memory of 4964 4776 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe Data.exe PID 4776 wrote to memory of 4964 4776 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe Data.exe PID 4776 wrote to memory of 4964 4776 f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe Data.exe PID 4964 wrote to memory of 3112 4964 Data.exe netsh.exe PID 4964 wrote to memory of 3112 4964 Data.exe netsh.exe PID 4964 wrote to memory of 3112 4964 Data.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe"C:\Users\Admin\AppData\Local\Temp\f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Data.exe"C:\Users\Admin\AppData\Roaming\Data.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Data.exe" "Data.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Data.exeFilesize
1.1MB
MD56d2b7843f0e9168704d4c71108cfdc50
SHA13fb8ed1bc9eb790af15c1f18486ac5461a44ed71
SHA256f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e
SHA51256622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0
-
C:\Users\Admin\AppData\Roaming\Data.exeFilesize
1.1MB
MD56d2b7843f0e9168704d4c71108cfdc50
SHA13fb8ed1bc9eb790af15c1f18486ac5461a44ed71
SHA256f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e
SHA51256622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0
-
memory/3112-142-0x0000000000000000-mapping.dmp
-
memory/4776-134-0x0000000005E40000-0x00000000063E4000-memory.dmpFilesize
5.6MB
-
memory/4776-130-0x0000000000B20000-0x0000000000E9E000-memory.dmpFilesize
3.5MB
-
memory/4776-133-0x00000000057F0000-0x000000000588C000-memory.dmpFilesize
624KB
-
memory/4776-132-0x0000000000B20000-0x0000000000E9E000-memory.dmpFilesize
3.5MB
-
memory/4776-138-0x0000000000B20000-0x0000000000E9E000-memory.dmpFilesize
3.5MB
-
memory/4776-131-0x0000000000B20000-0x0000000000E9E000-memory.dmpFilesize
3.5MB
-
memory/4964-135-0x0000000000000000-mapping.dmp
-
memory/4964-139-0x00000000007C0000-0x0000000000B3E000-memory.dmpFilesize
3.5MB
-
memory/4964-140-0x00000000007C0000-0x0000000000B3E000-memory.dmpFilesize
3.5MB
-
memory/4964-141-0x00000000007C0000-0x0000000000B3E000-memory.dmpFilesize
3.5MB
-
memory/4964-143-0x00000000007C0000-0x0000000000B3E000-memory.dmpFilesize
3.5MB
-
memory/4964-144-0x00000000058B0000-0x0000000005942000-memory.dmpFilesize
584KB
-
memory/4964-145-0x0000000005820000-0x000000000582A000-memory.dmpFilesize
40KB