Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2022 12:08
Static task
static1
Behavioral task
behavioral1
Sample
Builder.exe
Resource
win10-20220414-en
Behavioral task
behavioral2
Sample
Builder.exe
Resource
win10v2004-20220721-en
Behavioral task
behavioral3
Sample
Builder.exe
Resource
win10-20220722-en
Behavioral task
behavioral4
Sample
Builder.exe
Resource
win10v2004-20220721-en
Behavioral task
behavioral5
Sample
Stub/stub.exe
Resource
win10-20220414-en
Behavioral task
behavioral6
Sample
Stub/stub.exe
Resource
win10v2004-20220722-en
General
-
Target
Stub/stub.exe
-
Size
1.5MB
-
MD5
cd57f9b56a059ce65666c2ee267f1f2a
-
SHA1
e1c2e55dfcacf1605fa3f75b81d05bde25986aa6
-
SHA256
f74dc7d939e1a44cd57d25d28e57c41a95e7080098bc1b37118ef8f51f6e2e36
-
SHA512
fa91e2b2bbddd9016d9f02dc6db33482aa3707db1596236f5cbe00837ba87926801f1ff1ce302e6eb3e2ad0fa8a528e7a9256e34ca1ee2249d6ef12c17d8408d
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
stub.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation stub.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3412 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2560 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
stub.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4336 stub.exe Token: SeDebugPrivilege 2560 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
stub.execmd.exedescription pid process target process PID 4336 wrote to memory of 4764 4336 stub.exe cmd.exe PID 4336 wrote to memory of 4764 4336 stub.exe cmd.exe PID 4336 wrote to memory of 4764 4336 stub.exe cmd.exe PID 4764 wrote to memory of 5104 4764 cmd.exe chcp.com PID 4764 wrote to memory of 5104 4764 cmd.exe chcp.com PID 4764 wrote to memory of 5104 4764 cmd.exe chcp.com PID 4764 wrote to memory of 2560 4764 cmd.exe taskkill.exe PID 4764 wrote to memory of 2560 4764 cmd.exe taskkill.exe PID 4764 wrote to memory of 2560 4764 cmd.exe taskkill.exe PID 4764 wrote to memory of 3412 4764 cmd.exe timeout.exe PID 4764 wrote to memory of 3412 4764 cmd.exe timeout.exe PID 4764 wrote to memory of 3412 4764 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7261.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 43363⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7261.tmp.batFilesize
57B
MD50b6934d545ba56aa213b488168ae6d58
SHA1273859022b9bc6f2de345f05453fd31e5ec5b931
SHA2560237cbf99c231e838b937de6c589424352c8d8e4499e291ba42ca1e3fca0be20
SHA512b9b660f40adbcb5beb7b0b9024ae770493dfddd2493eba05a9b7973d1b797ff98142324b5bec40cd7d266eb734f0566ed81ffa92940a0a3d4c5f4217a0ad49a9
-
memory/2560-137-0x0000000000000000-mapping.dmp
-
memory/3412-138-0x0000000000000000-mapping.dmp
-
memory/4336-132-0x0000000000E20000-0x0000000000FA4000-memory.dmpFilesize
1.5MB
-
memory/4336-133-0x00000000058F0000-0x0000000005956000-memory.dmpFilesize
408KB
-
memory/4764-134-0x0000000000000000-mapping.dmp
-
memory/5104-136-0x0000000000000000-mapping.dmp