Analysis
-
max time kernel
91s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 00:14
Behavioral task
behavioral1
Sample
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Resource
win10v2004-20220721-en
General
-
Target
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
-
Size
690KB
-
MD5
b1054ce8f34ae583487bd889bf03fb39
-
SHA1
405a0010eda09b5878596a7d91abf0ffe58634db
-
SHA256
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36
-
SHA512
5f03041137cb4fb942b96f8d6e2f44849be7d393b9f7231581ad6637d8ebba7864c38defe922f238661dc525e6d2dc726e3e456cbc540f977b13162100629345
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\java" 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4900 attrib.exe 3188 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\java" 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exedescription pid process Token: SeIncreaseQuotaPrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeSecurityPrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeTakeOwnershipPrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeLoadDriverPrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeSystemProfilePrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeSystemtimePrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeProfSingleProcessPrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeIncBasePriorityPrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeCreatePagefilePrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeBackupPrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeRestorePrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeShutdownPrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeDebugPrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeSystemEnvironmentPrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeChangeNotifyPrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeRemoteShutdownPrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeUndockPrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeManageVolumePrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeImpersonatePrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: SeCreateGlobalPrivilege 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: 33 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: 34 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: 35 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe Token: 36 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.execmd.execmd.exedescription pid process target process PID 2372 wrote to memory of 3960 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe cmd.exe PID 2372 wrote to memory of 3960 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe cmd.exe PID 2372 wrote to memory of 3960 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe cmd.exe PID 2372 wrote to memory of 996 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe cmd.exe PID 2372 wrote to memory of 996 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe cmd.exe PID 2372 wrote to memory of 996 2372 39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe cmd.exe PID 3960 wrote to memory of 4900 3960 cmd.exe attrib.exe PID 3960 wrote to memory of 4900 3960 cmd.exe attrib.exe PID 3960 wrote to memory of 4900 3960 cmd.exe attrib.exe PID 996 wrote to memory of 3188 996 cmd.exe attrib.exe PID 996 wrote to memory of 3188 996 cmd.exe attrib.exe PID 996 wrote to memory of 3188 996 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3188 attrib.exe 4900 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe"C:\Users\Admin\AppData\Local\Temp\39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes