Analysis
-
max time kernel
171s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 09:24
Static task
static1
Behavioral task
behavioral1
Sample
3bdc59efa34736457c7bb023c755470ef3bd29b81f733e59b2594f6373f876c3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3bdc59efa34736457c7bb023c755470ef3bd29b81f733e59b2594f6373f876c3.exe
Resource
win10v2004-20220414-en
General
-
Target
3bdc59efa34736457c7bb023c755470ef3bd29b81f733e59b2594f6373f876c3.exe
-
Size
852KB
-
MD5
176b5acb7e99a0f6b96e67008211a6ba
-
SHA1
3cc11249673f7d66ce36da881a461c12a435e421
-
SHA256
3bdc59efa34736457c7bb023c755470ef3bd29b81f733e59b2594f6373f876c3
-
SHA512
168744ff4454a49666092694bd2949d3bc5d50703d855077651fff3ba7be91e398d053a4fe797cdc74bfdfb52c8fa1e765bd4989ef46b47949610c5eb05ddf5a
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
FB_B3C4.tmp.exeFB_BF7D.tmp.comconfig.exepid process 3936 FB_B3C4.tmp.exe 4320 FB_BF7D.tmp.com 4100 config.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3bdc59efa34736457c7bb023c755470ef3bd29b81f733e59b2594f6373f876c3.exeFB_BF7D.tmp.comdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 3bdc59efa34736457c7bb023c755470ef3bd29b81f733e59b2594f6373f876c3.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation FB_BF7D.tmp.com -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
config.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9165950e91e4e361fa21d31cf1cfc39b = "\"C:\\Users\\Admin\\AppData\\Roaming\\config.exe\" .." config.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9165950e91e4e361fa21d31cf1cfc39b = "\"C:\\Users\\Admin\\AppData\\Roaming\\config.exe\" .." config.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
config.exepid process 4100 config.exe 4100 config.exe 4100 config.exe 4100 config.exe 4100 config.exe 4100 config.exe 4100 config.exe 4100 config.exe 4100 config.exe 4100 config.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
config.exedescription pid process Token: SeDebugPrivilege 4100 config.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3bdc59efa34736457c7bb023c755470ef3bd29b81f733e59b2594f6373f876c3.exeFB_BF7D.tmp.comconfig.exedescription pid process target process PID 3132 wrote to memory of 3936 3132 3bdc59efa34736457c7bb023c755470ef3bd29b81f733e59b2594f6373f876c3.exe FB_B3C4.tmp.exe PID 3132 wrote to memory of 3936 3132 3bdc59efa34736457c7bb023c755470ef3bd29b81f733e59b2594f6373f876c3.exe FB_B3C4.tmp.exe PID 3132 wrote to memory of 3936 3132 3bdc59efa34736457c7bb023c755470ef3bd29b81f733e59b2594f6373f876c3.exe FB_B3C4.tmp.exe PID 3132 wrote to memory of 4320 3132 3bdc59efa34736457c7bb023c755470ef3bd29b81f733e59b2594f6373f876c3.exe FB_BF7D.tmp.com PID 3132 wrote to memory of 4320 3132 3bdc59efa34736457c7bb023c755470ef3bd29b81f733e59b2594f6373f876c3.exe FB_BF7D.tmp.com PID 3132 wrote to memory of 4320 3132 3bdc59efa34736457c7bb023c755470ef3bd29b81f733e59b2594f6373f876c3.exe FB_BF7D.tmp.com PID 4320 wrote to memory of 4100 4320 FB_BF7D.tmp.com config.exe PID 4320 wrote to memory of 4100 4320 FB_BF7D.tmp.com config.exe PID 4320 wrote to memory of 4100 4320 FB_BF7D.tmp.com config.exe PID 4100 wrote to memory of 2312 4100 config.exe netsh.exe PID 4100 wrote to memory of 2312 4100 config.exe netsh.exe PID 4100 wrote to memory of 2312 4100 config.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bdc59efa34736457c7bb023c755470ef3bd29b81f733e59b2594f6373f876c3.exe"C:\Users\Admin\AppData\Local\Temp\3bdc59efa34736457c7bb023c755470ef3bd29b81f733e59b2594f6373f876c3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FB_B3C4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_B3C4.tmp.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FB_BF7D.tmp.com"C:\Users\Admin\AppData\Local\Temp\FB_BF7D.tmp.com"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\config.exe"C:\Users\Admin\AppData\Roaming\config.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\config.exe" "config.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FB_B3C4.tmp.exeFilesize
383KB
MD5561674e508d910f7f3ad690e63c5a4ff
SHA17f74325e9927d35ae3115f25254d1027c5d6ada3
SHA256d5b0f4f52fff7353781c712b8991d9bea2ceb9cb4b669d9fed4b578e6219eefa
SHA5129d193c401e04c13f278420a15efc1339f22a6bdac13c6d1bb780b2f70a15308086d4d2a400b5f7d9aee4d77203572ac8103bd51d10e5031b3e456931ef40d45c
-
C:\Users\Admin\AppData\Local\Temp\FB_B3C4.tmp.exeFilesize
383KB
MD5561674e508d910f7f3ad690e63c5a4ff
SHA17f74325e9927d35ae3115f25254d1027c5d6ada3
SHA256d5b0f4f52fff7353781c712b8991d9bea2ceb9cb4b669d9fed4b578e6219eefa
SHA5129d193c401e04c13f278420a15efc1339f22a6bdac13c6d1bb780b2f70a15308086d4d2a400b5f7d9aee4d77203572ac8103bd51d10e5031b3e456931ef40d45c
-
C:\Users\Admin\AppData\Local\Temp\FB_BF7D.tmp.comFilesize
265KB
MD5bbb0eaa3d707e757e7e92de8968f9fa5
SHA1bade9eb744210496c4f53ddc44264d21f3c32732
SHA256098f80e542a1e3c972a14a416077f8013730f2119d793b5009e9cc1a663a54a2
SHA5129ef6b4f79af70c4c5239ade6309e35ccc66fcf52791ea73d84754e8236ac4ab75b68a1ad33519969a5b7884191b9f7a238f1e723dbbebbc2927922eedfb37d71
-
C:\Users\Admin\AppData\Local\Temp\FB_BF7D.tmp.comFilesize
265KB
MD5bbb0eaa3d707e757e7e92de8968f9fa5
SHA1bade9eb744210496c4f53ddc44264d21f3c32732
SHA256098f80e542a1e3c972a14a416077f8013730f2119d793b5009e9cc1a663a54a2
SHA5129ef6b4f79af70c4c5239ade6309e35ccc66fcf52791ea73d84754e8236ac4ab75b68a1ad33519969a5b7884191b9f7a238f1e723dbbebbc2927922eedfb37d71
-
C:\Users\Admin\AppData\Roaming\config.exeFilesize
265KB
MD5bbb0eaa3d707e757e7e92de8968f9fa5
SHA1bade9eb744210496c4f53ddc44264d21f3c32732
SHA256098f80e542a1e3c972a14a416077f8013730f2119d793b5009e9cc1a663a54a2
SHA5129ef6b4f79af70c4c5239ade6309e35ccc66fcf52791ea73d84754e8236ac4ab75b68a1ad33519969a5b7884191b9f7a238f1e723dbbebbc2927922eedfb37d71
-
C:\Users\Admin\AppData\Roaming\config.exeFilesize
265KB
MD5bbb0eaa3d707e757e7e92de8968f9fa5
SHA1bade9eb744210496c4f53ddc44264d21f3c32732
SHA256098f80e542a1e3c972a14a416077f8013730f2119d793b5009e9cc1a663a54a2
SHA5129ef6b4f79af70c4c5239ade6309e35ccc66fcf52791ea73d84754e8236ac4ab75b68a1ad33519969a5b7884191b9f7a238f1e723dbbebbc2927922eedfb37d71
-
memory/2312-146-0x0000000000000000-mapping.dmp
-
memory/3936-138-0x0000000004AD0000-0x0000000004B6C000-memory.dmpFilesize
624KB
-
memory/3936-130-0x0000000000000000-mapping.dmp
-
memory/3936-139-0x0000000005120000-0x00000000056C4000-memory.dmpFilesize
5.6MB
-
memory/3936-140-0x0000000004B70000-0x0000000004C02000-memory.dmpFilesize
584KB
-
memory/3936-141-0x0000000004AA0000-0x0000000004AAA000-memory.dmpFilesize
40KB
-
memory/3936-142-0x0000000004D60000-0x0000000004DB6000-memory.dmpFilesize
344KB
-
memory/3936-137-0x0000000000080000-0x00000000000E8000-memory.dmpFilesize
416KB
-
memory/4100-143-0x0000000000000000-mapping.dmp
-
memory/4320-136-0x0000000000020000-0x000000000006A000-memory.dmpFilesize
296KB
-
memory/4320-133-0x0000000000000000-mapping.dmp