Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 08:22
Static task
static1
Behavioral task
behavioral1
Sample
46921f04caaf575af7c2b27fe05bf0904952339c0b22577736148ce1119f966f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
46921f04caaf575af7c2b27fe05bf0904952339c0b22577736148ce1119f966f.exe
Resource
win10v2004-20220414-en
General
-
Target
46921f04caaf575af7c2b27fe05bf0904952339c0b22577736148ce1119f966f.exe
-
Size
61KB
-
MD5
904453e88a179fcab967e54eefbf4c85
-
SHA1
36c1aa1b9cc7ddae383f244a1b7222a326f832ea
-
SHA256
46921f04caaf575af7c2b27fe05bf0904952339c0b22577736148ce1119f966f
-
SHA512
ffc68895f032c72fc6da8f6352d6ac07dedb82606ddb5b78dff24f98a87160df37e198c894e0891528ed2c2aac6c67188ec0c1f26156f34b9e5f19dde2cac3a2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
outlookUpdating.exepid process 2384 outlookUpdating.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
46921f04caaf575af7c2b27fe05bf0904952339c0b22577736148ce1119f966f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 46921f04caaf575af7c2b27fe05bf0904952339c0b22577736148ce1119f966f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
outlookUpdating.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f896af4c63bc0de10b2ab6ccdbc93520 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\outlookUpdating.exe\" .." outlookUpdating.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f896af4c63bc0de10b2ab6ccdbc93520 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\outlookUpdating.exe\" .." outlookUpdating.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
outlookUpdating.exepid process 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe 2384 outlookUpdating.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
outlookUpdating.exedescription pid process Token: SeDebugPrivilege 2384 outlookUpdating.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
46921f04caaf575af7c2b27fe05bf0904952339c0b22577736148ce1119f966f.exeoutlookUpdating.exedescription pid process target process PID 4392 wrote to memory of 2384 4392 46921f04caaf575af7c2b27fe05bf0904952339c0b22577736148ce1119f966f.exe outlookUpdating.exe PID 4392 wrote to memory of 2384 4392 46921f04caaf575af7c2b27fe05bf0904952339c0b22577736148ce1119f966f.exe outlookUpdating.exe PID 2384 wrote to memory of 3456 2384 outlookUpdating.exe netsh.exe PID 2384 wrote to memory of 3456 2384 outlookUpdating.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46921f04caaf575af7c2b27fe05bf0904952339c0b22577736148ce1119f966f.exe"C:\Users\Admin\AppData\Local\Temp\46921f04caaf575af7c2b27fe05bf0904952339c0b22577736148ce1119f966f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\outlookUpdating.exe"C:\Users\Admin\AppData\Local\Temp\outlookUpdating.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\outlookUpdating.exe" "outlookUpdating.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\outlookUpdating.exeFilesize
61KB
MD5904453e88a179fcab967e54eefbf4c85
SHA136c1aa1b9cc7ddae383f244a1b7222a326f832ea
SHA25646921f04caaf575af7c2b27fe05bf0904952339c0b22577736148ce1119f966f
SHA512ffc68895f032c72fc6da8f6352d6ac07dedb82606ddb5b78dff24f98a87160df37e198c894e0891528ed2c2aac6c67188ec0c1f26156f34b9e5f19dde2cac3a2
-
C:\Users\Admin\AppData\Local\Temp\outlookUpdating.exeFilesize
61KB
MD5904453e88a179fcab967e54eefbf4c85
SHA136c1aa1b9cc7ddae383f244a1b7222a326f832ea
SHA25646921f04caaf575af7c2b27fe05bf0904952339c0b22577736148ce1119f966f
SHA512ffc68895f032c72fc6da8f6352d6ac07dedb82606ddb5b78dff24f98a87160df37e198c894e0891528ed2c2aac6c67188ec0c1f26156f34b9e5f19dde2cac3a2
-
memory/2384-132-0x0000000000000000-mapping.dmp
-
memory/2384-137-0x00007FFB55AF0000-0x00007FFB565B1000-memory.dmpFilesize
10.8MB
-
memory/2384-138-0x00007FFB55AF0000-0x00007FFB565B1000-memory.dmpFilesize
10.8MB
-
memory/3456-136-0x0000000000000000-mapping.dmp
-
memory/4392-130-0x00000000000A0000-0x00000000000B6000-memory.dmpFilesize
88KB
-
memory/4392-131-0x00007FFB55AF0000-0x00007FFB565B1000-memory.dmpFilesize
10.8MB
-
memory/4392-135-0x00007FFB55AF0000-0x00007FFB565B1000-memory.dmpFilesize
10.8MB