Analysis
-
max time kernel
179s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 18:09
Behavioral task
behavioral1
Sample
5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Resource
win10v2004-20220721-en
General
-
Target
5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
-
Size
756KB
-
MD5
30cd1eb2e9eb2de1b915df13e69d9ab5
-
SHA1
b08ebca830448d2607741169c8c96de385b90a92
-
SHA256
5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932
-
SHA512
1d64fc1205609d4e3139dc43340e8e62c81810ddee9ab532883dda49b3c315292c3e826071effafbb8b4aabc61ffe3587f5e8fdc7bb384a4e05ceeba8bf2f9bb
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Favorites\\Final Fantasy\\FFXIV.exe" 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FFupdater = "C:\\Users\\Admin\\Favorites\\Final Fantasy\\FFXIV.exe" 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exedescription pid process Token: SeIncreaseQuotaPrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeSecurityPrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeTakeOwnershipPrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeLoadDriverPrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeSystemProfilePrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeSystemtimePrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeProfSingleProcessPrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeIncBasePriorityPrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeCreatePagefilePrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeBackupPrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeRestorePrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeShutdownPrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeDebugPrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeSystemEnvironmentPrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeChangeNotifyPrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeRemoteShutdownPrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeUndockPrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeManageVolumePrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeImpersonatePrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: SeCreateGlobalPrivilege 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: 33 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: 34 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: 35 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe Token: 36 1484 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe"C:\Users\Admin\AppData\Local\Temp\5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken