Analysis
-
max time kernel
144s -
max time network
216s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 12:03
Static task
static1
Behavioral task
behavioral1
Sample
5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe
Resource
win10v2004-20220721-en
General
-
Target
5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe
-
Size
102KB
-
MD5
58c848f7841d332fc990a34e4ebe87d0
-
SHA1
5ef60b4f3aba6c5fbc0f37dd0fab98e207801710
-
SHA256
5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89
-
SHA512
596a8d135ca17dfdfaa3b2a6d8f2ccc14073c711224023b26fa8c8d4003ce54ee96c0884140e4e22af4ce05d7783298ad499fabb01a28ec5cb23e99a335c5381
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4792 sc.exe 764 sc.exe 1132 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exedescription pid process target process PID 204 wrote to memory of 664 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe cmd.exe PID 204 wrote to memory of 664 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe cmd.exe PID 204 wrote to memory of 664 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe cmd.exe PID 204 wrote to memory of 3488 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe cmd.exe PID 204 wrote to memory of 3488 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe cmd.exe PID 204 wrote to memory of 3488 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe cmd.exe PID 204 wrote to memory of 4792 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe sc.exe PID 204 wrote to memory of 4792 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe sc.exe PID 204 wrote to memory of 4792 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe sc.exe PID 204 wrote to memory of 764 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe sc.exe PID 204 wrote to memory of 764 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe sc.exe PID 204 wrote to memory of 764 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe sc.exe PID 204 wrote to memory of 1132 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe sc.exe PID 204 wrote to memory of 1132 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe sc.exe PID 204 wrote to memory of 1132 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe sc.exe PID 204 wrote to memory of 2820 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe netsh.exe PID 204 wrote to memory of 2820 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe netsh.exe PID 204 wrote to memory of 2820 204 5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe"C:\Users\Admin\AppData\Local\Temp\5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bluiadtr\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\azplsot.exe" C:\Windows\SysWOW64\bluiadtr\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create bluiadtr binPath= "C:\Windows\SysWOW64\bluiadtr\azplsot.exe /d\"C:\Users\Admin\AppData\Local\Temp\5f662e5221809ede2d9bb46fb3be36fb15d4e6b35921c9c34c2412775ef00d89.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description bluiadtr "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start bluiadtr2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\azplsot.exeFilesize
13.3MB
MD5c8f922ea46698db2b2d5454f4cab8c7a
SHA187a1bb778781e2ae85c848dd65509c6e7c316aae
SHA25665944cea62ca1b2f7e8a0fa0f1434f3ef5b0d4b5cb51e57223a36bf952f5f2fe
SHA512422f745bfbd3658b309497b8da93df01b27033fc49ec61a0bc81b0591a6bbecb02459d613311290d3d35415d13f0508003659a40d8f7475eb2dcce2b6b7b7697
-
memory/204-130-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/664-131-0x0000000000000000-mapping.dmp
-
memory/764-135-0x0000000000000000-mapping.dmp
-
memory/1132-136-0x0000000000000000-mapping.dmp
-
memory/2820-137-0x0000000000000000-mapping.dmp
-
memory/3488-132-0x0000000000000000-mapping.dmp
-
memory/4792-134-0x0000000000000000-mapping.dmp