Analysis
-
max time kernel
186s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 08:46
Static task
static1
Behavioral task
behavioral1
Sample
dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe
Resource
win10v2004-20220721-en
General
-
Target
dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe
-
Size
763KB
-
MD5
0cd6977068202fb2a7b3ab7c552ec508
-
SHA1
d012374c33fdb7337412c92f7fa4eb9ad2dd2068
-
SHA256
dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995
-
SHA512
3a85063893354d7946e3e1a7828592e5319668ce4b732b35376be5039a875d8c1216fd4c823b8d4122f693e5941694fcef382f6ddc1b15c2ba66c63d6c75c2b5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exepid process 632 dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exedescription pid process Token: SeDebugPrivilege 632 dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exedescription pid process target process PID 632 wrote to memory of 2432 632 dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe cmd.exe PID 632 wrote to memory of 2432 632 dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe cmd.exe PID 632 wrote to memory of 2432 632 dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe cmd.exe PID 632 wrote to memory of 824 632 dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe explorer.exe PID 632 wrote to memory of 824 632 dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe explorer.exe PID 632 wrote to memory of 824 632 dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe"C:\Users\Admin\AppData\Local\Temp\dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe" "C:\Users\Admin\AppData\Local\Cortana.exe"2⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\Cortana.exe"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/632-131-0x0000000000FE0000-0x00000000010A2000-memory.dmpFilesize
776KB
-
memory/632-132-0x0000000005FB0000-0x0000000006554000-memory.dmpFilesize
5.6MB
-
memory/632-133-0x0000000005AA0000-0x0000000005B32000-memory.dmpFilesize
584KB
-
memory/824-135-0x0000000000000000-mapping.dmp
-
memory/2432-134-0x0000000000000000-mapping.dmp