Analysis
-
max time kernel
184s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-06-2022 05:22
Static task
static1
Behavioral task
behavioral1
Sample
boomclnr.exe
Resource
win7-20220414-en
General
-
Target
boomclnr.exe
-
Size
338KB
-
MD5
7eb3288cf5a21f9e579741af49ce65aa
-
SHA1
15ee11f73dd90eb20e5dcca2ad8fac94f93a91c1
-
SHA256
d080f227320c4939dd03587024c17583d8fe7b589e45502f8ee905ecb33d626a
-
SHA512
e733a472ed1c2d3e848fc12eaab52a877a4e81382bba85674d061b0e34060186377e5399b9d67596fca1fe0813d1c960a851702abbac015955bc18df7cc5012a
Malware Config
Extracted
arkei
Default
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
u3cg.0.exepid process 3172 u3cg.0.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
boomclnr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation boomclnr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
boomclnr.exedescription pid process target process PID 4336 wrote to memory of 3172 4336 boomclnr.exe u3cg.0.exe PID 4336 wrote to memory of 3172 4336 boomclnr.exe u3cg.0.exe PID 4336 wrote to memory of 3172 4336 boomclnr.exe u3cg.0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\boomclnr.exe"C:\Users\Admin\AppData\Local\Temp\boomclnr.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u3cg.0.exe"C:\Users\Admin\AppData\Local\Temp\u3cg.0.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\u3cg.0.exeFilesize
353KB
MD5b4313a7d7629f36f75f7c964cddb407a
SHA1b6067c17671743fb93d4783e7925b1c24393e0ac
SHA2565d2852480a44eed596c7211a6eab77bee91653293aacbd39d4f47b45946740c2
SHA5127dfeee2affd3f5a71abe63d5c866b29c36373683fb7ca5b4ce8e4fc0d122dc64ce4fe0a3e252c3fbd8a9b59b90e8af9a627c25fcc9fe1991444a4b15c2332e21
-
C:\Users\Admin\AppData\Local\Temp\u3cg.0.exeFilesize
353KB
MD5b4313a7d7629f36f75f7c964cddb407a
SHA1b6067c17671743fb93d4783e7925b1c24393e0ac
SHA2565d2852480a44eed596c7211a6eab77bee91653293aacbd39d4f47b45946740c2
SHA5127dfeee2affd3f5a71abe63d5c866b29c36373683fb7ca5b4ce8e4fc0d122dc64ce4fe0a3e252c3fbd8a9b59b90e8af9a627c25fcc9fe1991444a4b15c2332e21
-
memory/3172-130-0x0000000000000000-mapping.dmp
-
memory/3172-133-0x0000000000C43000-0x0000000000C64000-memory.dmpFilesize
132KB
-
memory/3172-134-0x0000000000BB0000-0x0000000000BD9000-memory.dmpFilesize
164KB
-
memory/3172-135-0x0000000000400000-0x0000000000B4B000-memory.dmpFilesize
7.3MB