Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2022 15:19

General

  • Target

    server.exe

  • Size

    37KB

  • MD5

    4bc8c9f0374e9e8b462ba68c3c05cbc8

  • SHA1

    d23e233c019deb218dc12656b6068ed6bb1e0f09

  • SHA256

    1caefcd78f2581528f9ffe0dd5e3832dff1d4cc72168716145d59ceb0388f000

  • SHA512

    302068d057b831233057f3fd033f7d5a4b4fabca328ac135d637fc80119a2be938681e04951734b8078ad6a08a69dc59b279d0ae94f2db844c9a37adfcdb55d5

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops autorun.inf file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4144
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:2360
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Exsample.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4396
    • C:\Users\Admin\AppData\Local\Temp\tmp2357.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp2357.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:3444
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:4596

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Replication Through Removable Media

    1
    T1091

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Replication Through Removable Media

    1
    T1091

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp2357.tmp.exe
      Filesize

      39KB

      MD5

      5deb505257c4620dd4f384400530be29

      SHA1

      c70445b1cd19ab6e0d6061a54de54d172a32c8df

      SHA256

      08d688326886c51307f250f56b43cc13a6e90c516107f3f8bc0ddf675247c0ec

      SHA512

      4a90cb76532a03c53990a34c1cbb4bd539b68b9b2d603f58119a4ef2c2be26ce9ed822af98d7ceb9c7dc126970789754f45fce63ea146fe7ca481c07b4454813

    • C:\Users\Admin\AppData\Local\Temp\tmp2357.tmp.exe
      Filesize

      39KB

      MD5

      5deb505257c4620dd4f384400530be29

      SHA1

      c70445b1cd19ab6e0d6061a54de54d172a32c8df

      SHA256

      08d688326886c51307f250f56b43cc13a6e90c516107f3f8bc0ddf675247c0ec

      SHA512

      4a90cb76532a03c53990a34c1cbb4bd539b68b9b2d603f58119a4ef2c2be26ce9ed822af98d7ceb9c7dc126970789754f45fce63ea146fe7ca481c07b4454813

    • memory/2360-131-0x0000000000000000-mapping.dmp
    • memory/3444-134-0x0000000000000000-mapping.dmp
    • memory/3444-137-0x00000000008A0000-0x00000000008B0000-memory.dmp
      Filesize

      64KB

    • memory/3444-138-0x0000000005830000-0x0000000005DD4000-memory.dmp
      Filesize

      5.6MB

    • memory/3444-139-0x0000000005180000-0x0000000005212000-memory.dmp
      Filesize

      584KB

    • memory/3444-140-0x0000000005110000-0x000000000511A000-memory.dmp
      Filesize

      40KB

    • memory/4144-130-0x0000000074760000-0x0000000074D11000-memory.dmp
      Filesize

      5.7MB

    • memory/4144-133-0x0000000074760000-0x0000000074D11000-memory.dmp
      Filesize

      5.7MB

    • memory/4396-132-0x0000000000000000-mapping.dmp