Analysis
-
max time kernel
140s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2022 04:48
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
62KB
-
MD5
372c389955436b05a3e27c628f2f3dd6
-
SHA1
9b0e47953cfc4e4b314123966591cd72b3531426
-
SHA256
1584b24459df523db2d980cb45d3f3c4f010ed2c5b7f79312faad51ab3ee2abc
-
SHA512
8b9b41953739028ab668e39a95c974df6e0132fa6d85c29b1fcefcbc9c25b02ffcd1eb71c7a6a4814c5a624a99c279b752b705d286933bb71f798f37e706a40c
-
SSDEEP
1536:LjO/wOIXQFwWyE2IIq6KwTypLwCV/Gg3xLFrHtDGGZu:djXCwMIqnwTypLZ/PxrHtDpu
Malware Config
Extracted
systembc
31.41.244.183:4257
194.36.177.46:4257
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
BBBBBBBBBBBBBBBBBBBB.exeBBBBBBBBBBBBBBBBBBBB.exepid process 2036 BBBBBBBBBBBBBBBBBBBB.exe 2208 BBBBBBBBBBBBBBBBBBBB.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 4900 set thread context of 2012 4900 tmp.exe RegAsm.exe -
Drops file in Windows directory 2 IoCs
Processes:
BBBBBBBBBBBBBBBBBBBB.exedescription ioc process File created C:\Windows\Tasks\wow64.job BBBBBBBBBBBBBBBBBBBB.exe File opened for modification C:\Windows\Tasks\wow64.job BBBBBBBBBBBBBBBBBBBB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2012 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
tmp.exeRegAsm.exedescription pid process target process PID 4900 wrote to memory of 2012 4900 tmp.exe RegAsm.exe PID 4900 wrote to memory of 2012 4900 tmp.exe RegAsm.exe PID 4900 wrote to memory of 2012 4900 tmp.exe RegAsm.exe PID 4900 wrote to memory of 2012 4900 tmp.exe RegAsm.exe PID 4900 wrote to memory of 2012 4900 tmp.exe RegAsm.exe PID 4900 wrote to memory of 2012 4900 tmp.exe RegAsm.exe PID 4900 wrote to memory of 2012 4900 tmp.exe RegAsm.exe PID 4900 wrote to memory of 2012 4900 tmp.exe RegAsm.exe PID 2012 wrote to memory of 2036 2012 RegAsm.exe BBBBBBBBBBBBBBBBBBBB.exe PID 2012 wrote to memory of 2036 2012 RegAsm.exe BBBBBBBBBBBBBBBBBBBB.exe PID 2012 wrote to memory of 2036 2012 RegAsm.exe BBBBBBBBBBBBBBBBBBBB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\BBBBBBBBBBBBBBBBBBBB.exe"C:\ProgramData\BBBBBBBBBBBBBBBBBBBB.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\ProgramData\BBBBBBBBBBBBBBBBBBBB.exeC:\ProgramData\BBBBBBBBBBBBBBBBBBBB.exe start1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\BBBBBBBBBBBBBBBBBBBB.exeFilesize
13KB
MD51be6092e32956e83b99c3dc7c66603c7
SHA192d942f9eba3c7146588f56d33a32262e042091d
SHA2568dc6a4ee7b41ba73197485e2b685f7f82e9889b2e544269eabcc5c6c1cb8bac7
SHA5129dbafbd83acf41cddf6da38f984e09a35d2639f326988845d91d80c2e449b3284c17d601d4f27eb1059a9122f719eeabdd3387aceb9c0c9eed2cca01c812e91e
-
C:\ProgramData\BBBBBBBBBBBBBBBBBBBB.exeFilesize
13KB
MD51be6092e32956e83b99c3dc7c66603c7
SHA192d942f9eba3c7146588f56d33a32262e042091d
SHA2568dc6a4ee7b41ba73197485e2b685f7f82e9889b2e544269eabcc5c6c1cb8bac7
SHA5129dbafbd83acf41cddf6da38f984e09a35d2639f326988845d91d80c2e449b3284c17d601d4f27eb1059a9122f719eeabdd3387aceb9c0c9eed2cca01c812e91e
-
C:\ProgramData\BBBBBBBBBBBBBBBBBBBB.exeFilesize
13KB
MD51be6092e32956e83b99c3dc7c66603c7
SHA192d942f9eba3c7146588f56d33a32262e042091d
SHA2568dc6a4ee7b41ba73197485e2b685f7f82e9889b2e544269eabcc5c6c1cb8bac7
SHA5129dbafbd83acf41cddf6da38f984e09a35d2639f326988845d91d80c2e449b3284c17d601d4f27eb1059a9122f719eeabdd3387aceb9c0c9eed2cca01c812e91e
-
memory/2012-138-0x0000000000000000-mapping.dmp
-
memory/2012-139-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2036-140-0x0000000000000000-mapping.dmp
-
memory/4900-132-0x0000000000960000-0x0000000000976000-memory.dmpFilesize
88KB
-
memory/4900-133-0x00000000058C0000-0x0000000005E64000-memory.dmpFilesize
5.6MB
-
memory/4900-134-0x00000000053B0000-0x0000000005442000-memory.dmpFilesize
584KB
-
memory/4900-135-0x0000000005340000-0x000000000534A000-memory.dmpFilesize
40KB
-
memory/4900-136-0x0000000005600000-0x0000000005676000-memory.dmpFilesize
472KB
-
memory/4900-137-0x00000000054C0000-0x00000000054DE000-memory.dmpFilesize
120KB