Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2022 02:34
Static task
static1
Behavioral task
behavioral1
Sample
5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe
Resource
win7-20220718-en
General
-
Target
5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe
-
Size
321KB
-
MD5
71235e186670cfb93f258d51470961d8
-
SHA1
4757c7f00f749da3d3144a4eec1bbe38b9374c29
-
SHA256
5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c
-
SHA512
f1cd4c8d83e694407158b05ad85cb518059ba7dbfd8936f59b36f7110ad11697f6e2c62a60ddd0b22fff824b932e4d2709e53621092415d2329dae6722e15ab8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exepid process 4700 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe File opened for modification C:\Windows\assembly\Desktop.ini 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe -
Drops file in Windows directory 3 IoCs
Processes:
5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe File opened for modification C:\Windows\assembly\Desktop.ini 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe File opened for modification C:\Windows\assembly 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exepid process 4700 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exedescription pid process Token: SeDebugPrivilege 4648 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe Token: SeDebugPrivilege 4700 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe Token: 33 4700 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe Token: SeIncBasePriorityPrivilege 4700 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exepid process 4700 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.execmd.exedescription pid process target process PID 4648 wrote to memory of 4700 4648 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe PID 4648 wrote to memory of 4700 4648 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe PID 4648 wrote to memory of 4700 4648 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe PID 4648 wrote to memory of 4812 4648 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe cmd.exe PID 4648 wrote to memory of 4812 4648 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe cmd.exe PID 4648 wrote to memory of 4812 4648 5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe cmd.exe PID 4812 wrote to memory of 5020 4812 cmd.exe PING.EXE PID 4812 wrote to memory of 5020 4812 cmd.exe PING.EXE PID 4812 wrote to memory of 5020 4812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe"C:\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe"C:\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4700
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:5020
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe
Filesize321KB
MD571235e186670cfb93f258d51470961d8
SHA14757c7f00f749da3d3144a4eec1bbe38b9374c29
SHA2565ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c
SHA512f1cd4c8d83e694407158b05ad85cb518059ba7dbfd8936f59b36f7110ad11697f6e2c62a60ddd0b22fff824b932e4d2709e53621092415d2329dae6722e15ab8
-
C:\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe
Filesize321KB
MD571235e186670cfb93f258d51470961d8
SHA14757c7f00f749da3d3144a4eec1bbe38b9374c29
SHA2565ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c
SHA512f1cd4c8d83e694407158b05ad85cb518059ba7dbfd8936f59b36f7110ad11697f6e2c62a60ddd0b22fff824b932e4d2709e53621092415d2329dae6722e15ab8