Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 03:17
Static task
static1
Behavioral task
behavioral1
Sample
6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe
Resource
win10v2004-20220721-en
General
-
Target
6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe
-
Size
724KB
-
MD5
61234732aaee3b52d2a921c61f4a5ca0
-
SHA1
af3b4b38706e62632d33ed46c14db107b2e86087
-
SHA256
6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754
-
SHA512
c5db3da3a615f95caed497d86d2582145f1b31e9effd2c16976a55adb12f9f74acd78a728f9f8fda791199f6675dc6b6f388e7465d3d1f89f45dac674d2ab6c5
Malware Config
Signatures
-
Processes:
Emerge.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Emerge.exe -
Processes:
Emerge.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" Emerge.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0 = "C:\\Users\\Admin\\AppData\\Roaming\\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0\\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0.exe" iexplore.exe -
Executes dropped EXE 2 IoCs
Processes:
Emerge.exeEmerge.exepid process 4032 Emerge.exe 4236 Emerge.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation 6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe -
Processes:
Emerge.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" Emerge.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
reg.EXEiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Abidingness2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Emerge.exe" reg.EXE Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0 = "C:\\Users\\Admin\\AppData\\Roaming\\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0\\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0 = "C:\\Users\\Admin\\AppData\\Roaming\\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0\\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0.exe" iexplore.exe -
Processes:
Emerge.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Emerge.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Emerge.exeEmerge.exedescription pid process target process PID 4032 set thread context of 4236 4032 Emerge.exe Emerge.exe PID 4236 set thread context of 3320 4236 Emerge.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Emerge.exepid process 4236 Emerge.exe 4236 Emerge.exe 4236 Emerge.exe 4236 Emerge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
iexplore.exedescription pid process Token: SeDebugPrivilege 3320 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exeEmerge.exeEmerge.exeiexplore.exepid process 960 6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe 4032 Emerge.exe 4236 Emerge.exe 3320 iexplore.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exeEmerge.exeEmerge.exedescription pid process target process PID 960 wrote to memory of 3904 960 6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe schtasks.exe PID 960 wrote to memory of 3904 960 6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe schtasks.exe PID 960 wrote to memory of 3904 960 6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe schtasks.exe PID 960 wrote to memory of 2196 960 6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe schtasks.exe PID 960 wrote to memory of 2196 960 6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe schtasks.exe PID 960 wrote to memory of 2196 960 6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe schtasks.exe PID 960 wrote to memory of 4032 960 6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe Emerge.exe PID 960 wrote to memory of 4032 960 6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe Emerge.exe PID 960 wrote to memory of 4032 960 6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe Emerge.exe PID 4032 wrote to memory of 4236 4032 Emerge.exe Emerge.exe PID 4032 wrote to memory of 4236 4032 Emerge.exe Emerge.exe PID 4032 wrote to memory of 4236 4032 Emerge.exe Emerge.exe PID 4032 wrote to memory of 4236 4032 Emerge.exe Emerge.exe PID 4032 wrote to memory of 4236 4032 Emerge.exe Emerge.exe PID 4032 wrote to memory of 4236 4032 Emerge.exe Emerge.exe PID 4032 wrote to memory of 4236 4032 Emerge.exe Emerge.exe PID 4032 wrote to memory of 4236 4032 Emerge.exe Emerge.exe PID 4032 wrote to memory of 4236 4032 Emerge.exe Emerge.exe PID 4236 wrote to memory of 3320 4236 Emerge.exe iexplore.exe PID 4236 wrote to memory of 3320 4236 Emerge.exe iexplore.exe PID 4236 wrote to memory of 3320 4236 Emerge.exe iexplore.exe PID 4236 wrote to memory of 3320 4236 Emerge.exe iexplore.exe PID 4236 wrote to memory of 3320 4236 Emerge.exe iexplore.exe PID 4236 wrote to memory of 3320 4236 Emerge.exe iexplore.exe PID 4236 wrote to memory of 3320 4236 Emerge.exe iexplore.exe PID 4236 wrote to memory of 3320 4236 Emerge.exe iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
Emerge.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Emerge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe"C:\Users\Admin\AppData\Local\Temp\6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC HOURLY /MO 23 /TN "Abidingness2" /TR "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "\""Abidingness2"\"" /f /t REG_SZ /d "\""C:\Users\Admin\AppData\Local\Temp\Emerge.exe\""2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /run /tn "Abidingness2"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Emerge.exe"C:\Users\Admin\AppData\Local\Temp\Emerge.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Emerge.exe"C:\Users\Admin\AppData\Local\Temp\Emerge.exe"3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\Emerge.exe4⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\reg.EXEC:\Windows\system32\reg.EXE add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Abidingness2" /f /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Emerge.exe"1⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Emerge.exeFilesize
724KB
MD5c8d1b48fefc657e31e884d52d9389e6b
SHA1cf3da2ad535e05c3eaa6c34ef334b6eea08f2c3c
SHA2564c986eec3ff23bf14f32cdf7b081e671c5bb79e020c17f6fdb0f0a07ba9a7319
SHA512d7b3682dad57c0d679b25de1324bed4e20928a978130280db7347af481fc877e045b67e6d75331fcb2597665f54137a874f51c60f9f21cd83fa33f04fd24dd09
-
C:\Users\Admin\AppData\Local\Temp\Emerge.exeFilesize
724KB
MD5c8d1b48fefc657e31e884d52d9389e6b
SHA1cf3da2ad535e05c3eaa6c34ef334b6eea08f2c3c
SHA2564c986eec3ff23bf14f32cdf7b081e671c5bb79e020c17f6fdb0f0a07ba9a7319
SHA512d7b3682dad57c0d679b25de1324bed4e20928a978130280db7347af481fc877e045b67e6d75331fcb2597665f54137a874f51c60f9f21cd83fa33f04fd24dd09
-
C:\Users\Admin\AppData\Local\Temp\Emerge.exeFilesize
724KB
MD5c8d1b48fefc657e31e884d52d9389e6b
SHA1cf3da2ad535e05c3eaa6c34ef334b6eea08f2c3c
SHA2564c986eec3ff23bf14f32cdf7b081e671c5bb79e020c17f6fdb0f0a07ba9a7319
SHA512d7b3682dad57c0d679b25de1324bed4e20928a978130280db7347af481fc877e045b67e6d75331fcb2597665f54137a874f51c60f9f21cd83fa33f04fd24dd09
-
memory/960-133-0x0000000077E30000-0x0000000077FD3000-memory.dmpFilesize
1.6MB
-
memory/960-132-0x00007FFFC26D0000-0x00007FFFC28C5000-memory.dmpFilesize
2.0MB
-
memory/960-139-0x00007FFFC26D0000-0x00007FFFC28C5000-memory.dmpFilesize
2.0MB
-
memory/960-141-0x0000000077E30000-0x0000000077FD3000-memory.dmpFilesize
1.6MB
-
memory/2196-135-0x0000000000000000-mapping.dmp
-
memory/3904-134-0x0000000000000000-mapping.dmp
-
memory/4032-136-0x0000000000000000-mapping.dmp
-
memory/4032-147-0x00007FFFC26D0000-0x00007FFFC28C5000-memory.dmpFilesize
2.0MB
-
memory/4032-149-0x0000000077E30000-0x0000000077FD3000-memory.dmpFilesize
1.6MB
-
memory/4236-144-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4236-143-0x0000000000000000-mapping.dmp
-
memory/4236-151-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4236-152-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB