Analysis
-
max time kernel
149s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 19:12
Static task
static1
Behavioral task
behavioral1
Sample
4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe
Resource
win10v2004-20220718-en
General
-
Target
4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe
-
Size
499KB
-
MD5
dc4da9510376798fd121ae2f94cf531e
-
SHA1
41db50963d36fae816864cf3d58a9bb730c291f5
-
SHA256
4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a
-
SHA512
d2b66346c180ed4f932292c25073b2c89d2e0645ebf347fa027d3051ea5c224151605d6bad5298285b3951a73541929963d9513a2bb47fe5be32ca5bff34526c
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3436 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 2128 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Control Panel\International\Geo\Nation 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1768 set thread context of 3600 1768 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 78 PID 3436 set thread context of 2128 3436 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2576 2128 WerFault.exe 84 -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2180 PING.EXE -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1768 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe Token: SeDebugPrivilege 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe Token: SeDebugPrivilege 3436 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1768 wrote to memory of 3600 1768 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 78 PID 1768 wrote to memory of 3600 1768 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 78 PID 1768 wrote to memory of 3600 1768 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 78 PID 1768 wrote to memory of 3600 1768 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 78 PID 1768 wrote to memory of 3600 1768 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 78 PID 1768 wrote to memory of 3600 1768 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 78 PID 1768 wrote to memory of 3600 1768 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 78 PID 1768 wrote to memory of 3600 1768 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 78 PID 3600 wrote to memory of 3436 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 80 PID 3600 wrote to memory of 3436 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 80 PID 3600 wrote to memory of 3436 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 80 PID 3600 wrote to memory of 640 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 82 PID 3600 wrote to memory of 640 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 82 PID 3600 wrote to memory of 640 3600 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 82 PID 640 wrote to memory of 2180 640 cmd.exe 83 PID 640 wrote to memory of 2180 640 cmd.exe 83 PID 640 wrote to memory of 2180 640 cmd.exe 83 PID 3436 wrote to memory of 2128 3436 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 84 PID 3436 wrote to memory of 2128 3436 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 84 PID 3436 wrote to memory of 2128 3436 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 84 PID 3436 wrote to memory of 2128 3436 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 84 PID 3436 wrote to memory of 2128 3436 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 84 PID 3436 wrote to memory of 2128 3436 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 84 PID 3436 wrote to memory of 2128 3436 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 84 PID 3436 wrote to memory of 2128 3436 4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe"C:\Users\Admin\AppData\Local\Temp\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exeC:\Users\Admin\AppData\Local\Temp\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe"C:\Users\Admin\AppData\Local\Temp\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exeC:\Users\Admin\AppData\Local\Temp\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe4⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 805⤵
- Program crash
PID:2576
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10004⤵
- Runs ping.exe
PID:2180
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2128 -ip 21281⤵PID:4972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe.log
Filesize1KB
MD5c16efa749289947820118a1e6efb3045
SHA1f919006562f2ae6bf18345814e1df9613ac53400
SHA256d382accf873d4b2d6f01ac03b97df6065f0476d9ff591f12072ddc38f4acbb01
SHA512baddb6c1218bff38c126ded36164fc9e06c0eaa2a8ead2ede627556048d9482442ea0a8a43ff67578d3a14c8295e53246a3cdfa17f25d7eaf4fb67919d06f21e
-
C:\Users\Admin\AppData\Local\Temp\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe
Filesize499KB
MD5dc4da9510376798fd121ae2f94cf531e
SHA141db50963d36fae816864cf3d58a9bb730c291f5
SHA2564fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a
SHA512d2b66346c180ed4f932292c25073b2c89d2e0645ebf347fa027d3051ea5c224151605d6bad5298285b3951a73541929963d9513a2bb47fe5be32ca5bff34526c
-
C:\Users\Admin\AppData\Local\Temp\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe
Filesize499KB
MD5dc4da9510376798fd121ae2f94cf531e
SHA141db50963d36fae816864cf3d58a9bb730c291f5
SHA2564fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a
SHA512d2b66346c180ed4f932292c25073b2c89d2e0645ebf347fa027d3051ea5c224151605d6bad5298285b3951a73541929963d9513a2bb47fe5be32ca5bff34526c
-
C:\Users\Admin\AppData\Local\Temp\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a\4fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a.exe
Filesize499KB
MD5dc4da9510376798fd121ae2f94cf531e
SHA141db50963d36fae816864cf3d58a9bb730c291f5
SHA2564fea5be10a901186a28d2c818c1a264265b22440c8c2f62611f5a28dd907ae8a
SHA512d2b66346c180ed4f932292c25073b2c89d2e0645ebf347fa027d3051ea5c224151605d6bad5298285b3951a73541929963d9513a2bb47fe5be32ca5bff34526c