Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17-08-2022 07:36
Static task
static1
Behavioral task
behavioral1
Sample
91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe
Resource
win7-20220812-en
General
-
Target
91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe
-
Size
1.5MB
-
MD5
45a7d174e1fee169316107638d633985
-
SHA1
0f6bb823d193e4ab8b3ac4facb9c55a0654927f2
-
SHA256
91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655
-
SHA512
ac3253f8c40bf7cff08dfda0d01e826ffdb5dcc958aa545e4fc0309b115a533f4b69a00329273516cb6a79eee6d503b56236f9c3d6f5635d626dcd283095c028
Malware Config
Extracted
bitrat
1.38
bitrat9300.duckdns.org:9300
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
pmfre.exepmfre.exepid process 1468 pmfre.exe 1300 pmfre.exe -
Processes:
resource yara_rule behavioral2/memory/1480-138-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1480-139-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1480-140-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1480-141-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1480-142-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1480-145-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/3216-156-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/3216-157-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exepmfre.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation 91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation pmfre.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
RegAsm.exeRegAsm.exepid process 1480 RegAsm.exe 1480 RegAsm.exe 1480 RegAsm.exe 1480 RegAsm.exe 1480 RegAsm.exe 3216 RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exepmfre.exedescription pid process target process PID 4420 set thread context of 1480 4420 91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe RegAsm.exe PID 1468 set thread context of 3216 1468 pmfre.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1248 schtasks.exe 3996 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm.exeRegAsm.exedescription pid process Token: SeShutdownPrivilege 1480 RegAsm.exe Token: SeShutdownPrivilege 3216 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exepid process 1480 RegAsm.exe 1480 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.execmd.exepmfre.execmd.exedescription pid process target process PID 4420 wrote to memory of 4940 4420 91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe cmd.exe PID 4420 wrote to memory of 4940 4420 91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe cmd.exe PID 4420 wrote to memory of 4940 4420 91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe cmd.exe PID 4420 wrote to memory of 1288 4420 91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe cmd.exe PID 4420 wrote to memory of 1288 4420 91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe cmd.exe PID 4420 wrote to memory of 1288 4420 91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe cmd.exe PID 4940 wrote to memory of 1248 4940 cmd.exe schtasks.exe PID 4940 wrote to memory of 1248 4940 cmd.exe schtasks.exe PID 4940 wrote to memory of 1248 4940 cmd.exe schtasks.exe PID 4420 wrote to memory of 1480 4420 91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe RegAsm.exe PID 4420 wrote to memory of 1480 4420 91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe RegAsm.exe PID 4420 wrote to memory of 1480 4420 91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe RegAsm.exe PID 4420 wrote to memory of 1480 4420 91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe RegAsm.exe PID 4420 wrote to memory of 1480 4420 91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe RegAsm.exe PID 4420 wrote to memory of 1480 4420 91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe RegAsm.exe PID 4420 wrote to memory of 1480 4420 91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe RegAsm.exe PID 1468 wrote to memory of 2152 1468 pmfre.exe cmd.exe PID 1468 wrote to memory of 2152 1468 pmfre.exe cmd.exe PID 1468 wrote to memory of 2152 1468 pmfre.exe cmd.exe PID 1468 wrote to memory of 2360 1468 pmfre.exe cmd.exe PID 1468 wrote to memory of 2360 1468 pmfre.exe cmd.exe PID 1468 wrote to memory of 2360 1468 pmfre.exe cmd.exe PID 2152 wrote to memory of 3996 2152 cmd.exe schtasks.exe PID 2152 wrote to memory of 3996 2152 cmd.exe schtasks.exe PID 2152 wrote to memory of 3996 2152 cmd.exe schtasks.exe PID 1468 wrote to memory of 3216 1468 pmfre.exe RegAsm.exe PID 1468 wrote to memory of 3216 1468 pmfre.exe RegAsm.exe PID 1468 wrote to memory of 3216 1468 pmfre.exe RegAsm.exe PID 1468 wrote to memory of 3216 1468 pmfre.exe RegAsm.exe PID 1468 wrote to memory of 3216 1468 pmfre.exe RegAsm.exe PID 1468 wrote to memory of 3216 1468 pmfre.exe RegAsm.exe PID 1468 wrote to memory of 3216 1468 pmfre.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe"C:\Users\Admin\AppData\Local\Temp\91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfre.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfre.exe'" /f3⤵
- Creates scheduled task(s)
PID:1248 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\91eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655.exe" "C:\Users\Admin\AppData\Roaming\pmfre.exe"2⤵PID:1288
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1480
-
C:\Users\Admin\AppData\Roaming\pmfre.exeC:\Users\Admin\AppData\Roaming\pmfre.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfre.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfre.exe'" /f3⤵
- Creates scheduled task(s)
PID:3996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\pmfre.exe" "C:\Users\Admin\AppData\Roaming\pmfre.exe"2⤵PID:2360
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3216
-
C:\Users\Admin\AppData\Roaming\pmfre.exeC:\Users\Admin\AppData\Roaming\pmfre.exe1⤵
- Executes dropped EXE
PID:1300
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pmfre.exe.logFilesize
520B
MD53ca2f9e6a94c24c455ac9431a0bf479b
SHA1a90309eec691588990609f8f8ad9b935d6f38eb2
SHA256e84d0c64750ec6333b67eb8aef737bb21cd86c6ef6e520c6537ede13505e125e
SHA512ba66e42b384f0d865a21d9169169a0b2bd9c62ebee68acc63a191b1a67ca16f4534f955055fc84bbc4a9cd22cec11c3c22a15df7741d99b7dec456e5cabcb0b5
-
C:\Users\Admin\AppData\Roaming\pmfre.exeFilesize
1.5MB
MD545a7d174e1fee169316107638d633985
SHA10f6bb823d193e4ab8b3ac4facb9c55a0654927f2
SHA25691eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655
SHA512ac3253f8c40bf7cff08dfda0d01e826ffdb5dcc958aa545e4fc0309b115a533f4b69a00329273516cb6a79eee6d503b56236f9c3d6f5635d626dcd283095c028
-
C:\Users\Admin\AppData\Roaming\pmfre.exeFilesize
1.5MB
MD545a7d174e1fee169316107638d633985
SHA10f6bb823d193e4ab8b3ac4facb9c55a0654927f2
SHA25691eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655
SHA512ac3253f8c40bf7cff08dfda0d01e826ffdb5dcc958aa545e4fc0309b115a533f4b69a00329273516cb6a79eee6d503b56236f9c3d6f5635d626dcd283095c028
-
C:\Users\Admin\AppData\Roaming\pmfre.exeFilesize
1.5MB
MD545a7d174e1fee169316107638d633985
SHA10f6bb823d193e4ab8b3ac4facb9c55a0654927f2
SHA25691eae4dde94e8192a5050abda781916bc08e16c52595a2e97d3b0000ae64a655
SHA512ac3253f8c40bf7cff08dfda0d01e826ffdb5dcc958aa545e4fc0309b115a533f4b69a00329273516cb6a79eee6d503b56236f9c3d6f5635d626dcd283095c028
-
memory/1248-136-0x0000000000000000-mapping.dmp
-
memory/1288-135-0x0000000000000000-mapping.dmp
-
memory/1480-144-0x0000000074A20000-0x0000000074A59000-memory.dmpFilesize
228KB
-
memory/1480-137-0x0000000000000000-mapping.dmp
-
memory/1480-140-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1480-141-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1480-142-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1480-143-0x00000000746A0000-0x00000000746D9000-memory.dmpFilesize
228KB
-
memory/1480-159-0x0000000074A20000-0x0000000074A59000-memory.dmpFilesize
228KB
-
memory/1480-145-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1480-138-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1480-139-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1480-158-0x00000000746A0000-0x00000000746D9000-memory.dmpFilesize
228KB
-
memory/2152-148-0x0000000000000000-mapping.dmp
-
memory/2360-149-0x0000000000000000-mapping.dmp
-
memory/3216-151-0x0000000000000000-mapping.dmp
-
memory/3216-156-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3216-157-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3996-150-0x0000000000000000-mapping.dmp
-
memory/4420-132-0x0000000000270000-0x0000000000402000-memory.dmpFilesize
1.6MB
-
memory/4420-133-0x00000000055B0000-0x0000000005B54000-memory.dmpFilesize
5.6MB
-
memory/4940-134-0x0000000000000000-mapping.dmp