Analysis
-
max time kernel
142s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 08:46
Static task
static1
Behavioral task
behavioral1
Sample
b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe
Resource
win10v2004-20220721-en
General
-
Target
b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe
-
Size
1.0MB
-
MD5
5bc6ed82565d9c5c4878b574a37b4a20
-
SHA1
e6a6ee5473e9ea34165974c3fd2a94542d64bace
-
SHA256
b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a
-
SHA512
b6968383b9fe25c1ae5a5d76de2f0a61afaaf7942f91cc2ac9810bb8a38bca952ab08c687b59105b8fd836a8b3d89345ae704fa416432c21a7caa094df0623f4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
project6765.exepid process 2788 project6765.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exeproject6765.exedescription pid process Token: SeDebugPrivilege 1372 b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe Token: SeDebugPrivilege 2788 project6765.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.execmd.exedescription pid process target process PID 1372 wrote to memory of 1556 1372 b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe cmd.exe PID 1372 wrote to memory of 1556 1372 b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe cmd.exe PID 1372 wrote to memory of 1556 1372 b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe cmd.exe PID 1372 wrote to memory of 1748 1372 b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe cmd.exe PID 1372 wrote to memory of 1748 1372 b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe cmd.exe PID 1372 wrote to memory of 1748 1372 b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe cmd.exe PID 1748 wrote to memory of 2788 1748 cmd.exe project6765.exe PID 1748 wrote to memory of 2788 1748 cmd.exe project6765.exe PID 1748 wrote to memory of 2788 1748 cmd.exe project6765.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe"C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe" "C:\Users\Admin\Desktop\project6765.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Desktop\project6765.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\project6765.exe"C:\Users\Admin\Desktop\project6765.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\project6765.exeFilesize
1.0MB
MD55bc6ed82565d9c5c4878b574a37b4a20
SHA1e6a6ee5473e9ea34165974c3fd2a94542d64bace
SHA256b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a
SHA512b6968383b9fe25c1ae5a5d76de2f0a61afaaf7942f91cc2ac9810bb8a38bca952ab08c687b59105b8fd836a8b3d89345ae704fa416432c21a7caa094df0623f4
-
C:\Users\Admin\Desktop\project6765.exeFilesize
1.0MB
MD55bc6ed82565d9c5c4878b574a37b4a20
SHA1e6a6ee5473e9ea34165974c3fd2a94542d64bace
SHA256b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a
SHA512b6968383b9fe25c1ae5a5d76de2f0a61afaaf7942f91cc2ac9810bb8a38bca952ab08c687b59105b8fd836a8b3d89345ae704fa416432c21a7caa094df0623f4
-
memory/1372-130-0x0000000000C10000-0x0000000000D18000-memory.dmpFilesize
1.0MB
-
memory/1372-131-0x0000000008300000-0x00000000088A4000-memory.dmpFilesize
5.6MB
-
memory/1372-132-0x0000000007E30000-0x0000000007EC2000-memory.dmpFilesize
584KB
-
memory/1372-133-0x0000000007E20000-0x0000000007E2A000-memory.dmpFilesize
40KB
-
memory/1556-134-0x0000000000000000-mapping.dmp
-
memory/1748-135-0x0000000000000000-mapping.dmp
-
memory/2788-136-0x0000000000000000-mapping.dmp